Dridex Banking Malware Overview
It has been recently reported that the proliferate Dridex
banking malware is back in a new and improved version and has begun going
after targets in the UK, France and Australia. The malware was first
spotted in 2014 and was highly active throughout 2017, targeting banks across
the globe. The new campaign has been designed to send out malicious phishing
emails using compromised FTP sites instead of the more usual HTTP link as
download locations for malicious documents, exposing the credentials of the
compromised FTP sites in the process.
The emails were sent primarily to .COM top level domains
(TLDs) with the second, third and fourth top affected TLDs suggesting that
major regional targets were France, the UK, and Australia respectively. The
sender domains used are observed to be compromised accounts. The sender names
rotated around the following names, perhaps to make the emails look more
convincing to unsuspecting recipients:
- admin@
- billing@
- help@
- info@
- mail@
- no-reply@
- sale@
- support@
- ticket@
Brief Analysis
The campaign used two types of documents. The first
is a DOC that abuses DDE to execute a shell command to download
malware. The second type is a XLS file with a Macro that downloads
Dridex from the location-
hxxp://theairlab[.]co.za/KJHdey3. The compromised
servers do not appear to be running the same FTP software; as such, it seems
likely that the credentials were compromised in some other way. The
perpetrators of the campaign do not appear to be worried about exposing the
credentials of the FTP sites they abuse, potentially exposing the
already-compromised sites to further abuse by other groups. Multiple attributes
of the campaign suggest that it may coming from the Necurs botnet:
- The domains used for distribution were already in
present in records as compromised domains used in previous Necurs
campaigns
- Necurs is historically known to spread Dridex.
- The document downloaders are also similar to those used
by Necurs in the past.
- The download locations of the XLS file also follows the
traditional Necurs format.
However, the volume of this particular campaign is very low
compared to typical Necurs campaigns.
Indicators Of Compromise
(IOCs)
SHA-1
- 23b84ed99d9761ce4ffdf928e472ee03afb3615f
- e6347d6245308e104a1f4225cdd2c814cff1a63a
- 5697b0e3123b7d9511568d153e5545eb0ec5c906
- a1843ecc6f0c3f3fe0a3ef13d81d69abfaf6d4c9
- 7b7cdd64f0e66776303b4c09eefbac23471a58f1
IPs
- 69.90.132[.]196:443
- 108.166.114[.]38:4443
- 138.197.255[.]18:4143
Dridex Download Locations
- hxxp://theairlab[.]co.za/KJHdey3
- 185.176.221[.]146
FTP URLs
- ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs
- ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs
- ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs
- ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs
- ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/
- ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs
- ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs/scan_17.01.doc
- ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs/scan_17.01.doc
- ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs/scan_17.01.doc
- ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs/scan_17.01.doc
- ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/scan_17.01.doc
- ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs/scan_17.01.xls
- ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs/scan_17.01.doc
Also check Below related Blogs.
No comments:
Post a Comment