For the past month or so, I hadn't had any luck finding active malspam campaigns pushing Dridex malware. That changed starting this week, and I've since found several examples. Today's diary reviews an infection from Wednesday September 9th, 2020.
The Word documents
While searching VirusTotal, I found three documents with the same template that generated the same type of traffic (read: SHA256 hash - name):
My lab environment revealed these documents are designed to infect a vulnerable Windows host with Dridex.
Enabling macros caused Powershell to retrieve a DLL file from one of the following URLs over encrypted HTTPS traffic:
After the DLL was saved under the victim's profile, it was run using rundll32.exe. The DLL is an installer for Dridex, and it was run using the following command:
Dridex infection traffic
Dridex post-infection traffic is all HTTPS. In this case, we saw HTTPS traffic over the following IP addresses and ports:
Most of the Dridex post-infection traffic I've seen uses IP addresses without domain names, and issuer data for the SSL/TLS certificates is somewhat unusual. Certificate issuer data for the Dridex post-infection traffic:
Dridex persistent on an infected Windows host
Dridex is made persistent on an infected Windows host using 3 methods simultaneously:
Dridex uses copies of legitimate Windows system files (EXEs) to load and run malware. Dridex DLL files are named as DLLs that would normally be run by these copied system EXEs.
For this infection, all of the persistent Dridex DLL files were 64-bit DLL files.
Indicators of Compromise (IOCs)
Three examples of Microsoft Word documents with macros for Dridex:
Installer DLL for Dridex called by Word macro:
Dridex 64-bit DLL files persistent on the infected Windows host:
URLs from Word macro to retrieve Dridex DLL installer:
Certificate data for Dridex HTTPS traffic to 67.213.75[.]205 port 443:
Certificate data for Dridex HTTPS traffic to 54.39.34[.]26 port 453:
After a period of inactivity, malspam pushing Dridex malware is back, so this blog post reviewed traffic and malware from an infected Windows host. While not much has changed, it's always good to have a refresher.
As usual, up-to-date Windows hosts with the latest security patches and users who follow best security practices are not likely to get infected with this malware. However, I've seen so much come through in the past two or three days that even a small percentage of success will likely be profitable for the criminals behind it.
Sep 10th 2020
|Thread locked Subscribe||
Sep 10th 2020
2 years ago