2017-12-04 - DRIDEX IS BACK, BABY! - NECURS BOTNET MALSPAM PUSHES DRIDEX

ASSOCIATED FILES:

 

NOTES:

 


Shown above:  Some might say it never left.

 


Shown above:  Flowchart for these Dridex malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains/URLs:

 

EMAILS


Shown above:  Screenshot from the email tracker.

 


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Clicking on a link in one of the emails.

 


Shown above:  The downloaded Word document and embedded object.

 


Shown above:  Warning that pops up when you double-click the embedded object.

 


Shown above:  Embedded batch file running an HTML page when you click past the warning.

 

TRAFFIC


Shown above:  Network traffic from an infection filtered in Wireshark.

 

URLS FROM THE EMAILS:

 

NETWORK TRAFFIC FROM MY LAB HOST:

 

ADDITIONAL URLS TO GRAB THE DRIDEX INSTALLER:

 


Shown above:  Redirect after clicking link from the email.

 


Shown above:  HTTP GET request to tanbehtinho.net returns the malicious Word document.

 


Shown above:  HTTP GET request that returned the Dridex installer.

 


Shown above:  SSL/TLS traffic to non-standard port with Dridex-style certificate data.

 


Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 

FORENSICS ON AN INFECTED WINDOWS HOST

The Dridex infection was kept persistent through a scheduled task.  The associated EXE and DLL files were in a directory under C:\Windows\System32 that had 4 random digits in the directory name.  These binaries (EXE, DLL files) changed each time I rebooted the computer.  See the images below for details.

 


Shown above:  Example of a scheduled task on the infected Windows host in my lab.

 


Shown above:  The same scheduled task and associated malware after I re-booted my infected Windows host in my lab.

 


Shown above:  And it changed yet again when I rebooted it.

 

MALWARE

DOWNLOADED WORD DOCUMENT:

 

DRIDEX INSTALLER:

 

ARTIFACTS ON THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.