2015-01-07 - RECENT DRIDEX PHISHING CAMPAIGN

ASSOCIATED FILES:

• ZIP - PCAP of the traffic (1 of 2):  2015-01-06-phishing-malware-run-on-VM.pcap.zip
• ZIP - PCAP of the traffic (2 of 2):  2015-01-07-phishing-malware-run-on-VM.pcap.zip
• ZIP - associated malware:  2015-01-06-and-2015-01-07-malware-examples.zip

 

NOTES:

• Yesterday and today, we saw quite a few phishing emails with Word documents and Excel spreadsheet attachments all pushing Dridex malware.
• Other sources have already reported these emails, so I'm focusing more on the post-infection traffic and alerts.
• I infected two VMs using an example from each day.  Lets look at the traffic...

 

PHISHING EMAILS SEEN

TUESDAY 2015-01-06:

• Subject:  Card Receipt
• Attachment name:  CAR015 [random 6 characters].doc

• MD5 hash:  2e8dc58a36806e13cd61e4a25f38c9ee
• Callback:  194.146.109.202:80 - phaluzan.net.amis.hr - GET /js/bin.exe

• MD5 hash:  e7d6aa728aa28487400cb2ae82051531
• Callback:  72.214.217.229:80 - media.mystudio.net - GET /js/bin.exe

 

• Subject:  PAYMENT ADVICE 06-JAN-2015
• Attachment name:  BACS[random 6 numbers]_[random 3 numbers].doc

• MD5 hash:  ce596594218922c9d7429e7de11de3dd
• Callback:  213.9.95.58:8080 - no host name - GET /mans/pops.php

• MD5 hash:  67fd8aac791e49bc90e851fa994bd525
• Callback:  194.28.139.100:8080 - no host name - GET /mans/pops.php

• MD5 hash:  55d6c57bdad8a1e4210c1ff89cd88f78
• Callback:  213.174.162.126:8080 - no host name - GET /mans/pops.php

• MD5 hash:  661e6777cc51c335835a16bb2b79f42c
• Callback:  206.72.192.15:8080 - no host name - GET /mans/pops.php

 

• Subject:  This is your Remittance Advice #[random characters]
• Attachment name:  [same random characters as subject line].xls

• MD5 hash:  4f8564d80c1ad702ea9ea408c8d222d8
• Callback:  206.72.192.15:8080 - no host name - GET /mans/pops.php

• MD5 hash:  ab6335a9f9d616f9bc767e553299898d
• Callback:  194.28.139.100:8080 - no host name - GET /mans/pops.php

• MD5 hash:  c12819787eb0d5949a507b50ab1d18cb
• Callback:  213.9.95.58:8080 - no host name - GET /mans/pops.php

 

WEDNESDAY 2015-01-07:

• Subject:  NUCSOFT-Payroll December 2014
• Attachment name:  Payroll Dec'14.doc

• MD5 hash:  a5a79e75d3bb52de745ed45a6be86cbe
• Callback:  194.146.109.202:80 - cerovski1.net.amis.hr - GET /js/bin.exe

 

• Subject:  Invoice [random amount] GBP
• Attachment name:  RBAC_[random 6 characters].xls

• MD5 hash:  3a63ebdf4a0b34e38c7c1d54a6bb952e
• Callback:  193.136.19.160:8080 - no host name - GET /mans/pops.php

• MD5 hash:  cad6c0834c7519bcafcf6ba20eadb89a
• Callback:  87.106.165.232:8080 - no host name - GET /mans/pops.php

 

• Subject:  Remittance Advice for [random amount] GBP
• Attachment name:  REM_[random 6 characters].doc

• MD5 hash:  ffdb737b8f1e0df7c46a62a812251992
• Callback:  193.136.19.160:8080 - no host name - GET /mans/pops.php

 

TRAFFIC AND ALERTS - 2015-01-06 EXAMPLE

• Attachment name:  CAR015 151239.doc
• MD5 hash:  2e8dc58a36806e13cd61e4a25f38c9ee
• Malware downloaded by the word document:  bin.exe
• MD5 hash:  4914e439a3ea5195aff402372b066e4a

 

TRAFFIC:

• 2015-01-06 22:25:18 UTC - 194.146.109.202:80 - phaluzan.net.amis.hr - GET /js/bin.exe
• 2015-01-06 22:25:26 UTC - 74.208.11.204:8080 - 74.208.11.204 - POST /
• 2015-01-06 22:27:20 UTC - 108.61.179.182:443 - GET /Z/OPoc/Ekov./g1E%26Jm~q%3D
• 2015-01-06 22:27:22 UTC - 108.61.179.182:443 - POST /1R/TNw/Bu5tSl%2CO/UNU&%2DCn/o4S1Ph/RQ%26
• 2015-01-06 22:27:26 UTC - 108.61.179.182:443 - POST /f2KPrpBm%26ZKVfY2haN/n@5&UVhG%3F%2D5.VE$n0x6SMH~uXB/
• 2015-01-06 22:27:28 UTC - 1108.61.179.182:443 - POST /4etq%2Bfn1j&$kN/tK4OR/t%3FF/cK6c2/W
• 2015-01-06 22:27:30 UTC - 108.61.179.182:443 - POST /iwRh/wm%24X&0fmECmORngo/sQ%2DpLz=%2DH/wu2BkG
• 2015-01-06 22:27:31 UTC - 108.61.179.182:443 - POST /if5BS%2D=GE%26xNriIEC%26%2C/9FpLSmnjN%26A/h&T8
• 2015-01-06 22:27:35 UTC - 108.61.179.182:443 - POST /fK8Tmv%7EU/M&YpyS3=SO2/C91fTv%26tJ1+i_RA1
• 2015-01-06 22:27:46 UTC - 108.61.179.182:443 - POST /sjflkg/mg$.cwlga$&m%24s+b&/sf%7Eq+/vti~_+&__ugs@%26q$seksw%2D%26f%24m%2Bqbo.e%3D
• 2015-01-06 22:27:50 UTC - 108.61.179.182:443 - POST /R822X%3F%3DB4%7E%26/%7EI79/88%2Blg7t_.+QJg%2D3n
• And so on...

 

TCP CONNECTIONS ATTEMPTED, BUT RESET BY SERVER:

• 2.176.64.196:8000
• 31.147.155.233:8000
• 31.51.112.79:80
• 37.1.208.21:80
• 59.148.196.153:8080
• 64.185.49.83:80
• 78.23.16.142:80
• 103.248.232.145:80
• 104.243.32.242:80
• 108.61.164.118:443
• 108.61.184.79:443
• 109.54.60.142:8000
• 121.217.197.203:80
• 124.180.73.18:80
• 128.59.177.154:80
• 128.59.188.126:80
• 129.215.244.158:80
• 185.45.193.94:443
• 185.7.151.29:8000
• 187.91.198.205:80
• 194.81.243.42:80
• 202.179.84.223:80
• 203.110.85.217:8000

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 194.146.109.202:80 - ET CURRENT_EVENTS Possible Dridex Campaign Download Nov 11 2014 (sid:2019696)
• 1194.146.109.202:80 - ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile (sid:2019714)
• 74.208.11.204:8080 - ET TROJAN W32/Dridex POST CnC Beacon (sid:2019891)
• 108.61.179.182:443 - ET TROJAN Dridex Post Check-in Activity (sid:2020064)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

• 194.146.109.202:80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 74.208.11.204:8080 - [1:32678:1] MALWARE-CNC Win.Trojan.Dridex variant outbound connection attempt

 

TRAFFIC AND ALERTS - 2015-01-07 EXAMPLE

• Attachment name:  RBAC_7701WF.xls
• MD5 hash:  e3169ab66ecaf99758edbd090e06bb0f
• Malware downloaded by the word document:  test.exe
• MD5 hash:  4bdc0b2c44041dd16e40eebc447d1fe8

 

TRAFFIC:

• 2015-01-07 15:23:17 UTC - 193.136.19.160:8080 - GET /mans/pops.php
• 2015-01-07 15:23:23 UTC - 194.146.136.1:8080 - POST /
• 2015-01-07 15:24:42 UTC - 46.4.152.122:80 - 46.4.152.122 - GET /ofA/CPo8/5msRb/XCLPT/4uJm/jLbWmvzjpuB@L/IOosQ
• 2015-01-07 15:24:44 UTC - 216.170.126.185 - GET /PqktR88EoqTvlih$wvxs_jgx+Blpfuu%3D/s@m%3FQp%2DF%3Ds%26M2+xS%24/sA=QgT+7Ep7gRF8
• 2015-01-07 15:24:44 UTC - 216.170.126.185 - POST /pnfrfitfh%3D..tqefm/hgkn%2Bm@qf%2B%2D/m%3Dkel@j%7Eheh%7E%2B%3D=%2B~/%3Do.cc%2C
• 2015-01-07 15:24:47 UTC - 216.170.126.185 - POST /Ee3r=1rBai5/yhcwMN/u%3DU/b/s3%3DC%3D
• 2015-01-07 15:24:50 UTC - 216.170.126.185 - POST /mh5g3181u&y+z%7E%3D2gboiamluu%3D/35v%2Dn/@blpr5vzcuh&$@p%24r/8$%3FmA%3Fg7%3D@h
• 2015-01-07 15:24:55 UTC - 216.170.126.185 - POST /R7&k%7E_%26/9&NS%2BR0LK+5GC/X%7Eix&t@
• 2015-01-07 15:24:57 UTC - 216.170.126.185 - POST /M9eoH3kEBtkyUQs%3FPcsbJGt%2D.S~C/2Rb2j0=/%3F4l5qMH0iRxL9&~$T%2D_%26V+Wk/oTJ_vu
• 2015-01-07 15:25:02 UTC - 216.170.126.185 - POST /q6M%3FYS+N%3Dx@tgPI%7E/%2BgCE%7ET6s/
• 2015-01-07 15:25:04 UTC - 216.170.126.185 - POST //////////%3D%26+%3D%7E%2B%3D%24$%2B%2D%24%24+_%2B&/%3F%24=_.=&=%2D%3F&&%7E%3D%24
• 2015-01-07 15:25:10 UTC - 216.170.126.185 - POST /He/h/PH+%2CE3JCsF%2D$zv/kc7Zw%24
• 2015-01-07 15:25:12 UTC - 216.170.126.185 - POST /Lf2P2YRjF90nBF2z/UmlbtFnbqQNky8FPXZx/Accos.X%24m2S%26%24
• 2015-01-07 15:25:16 UTC - 216.170.126.185 - POST /pgg4jHoPsJTy03l/KOuX+mMx2ssi82&/O+=nc
• 2015-01-07 15:25:18 UTC - 216.170.126.185 - POST /YGAZuSAsq34/N@SwP$UhxAEnYuQa6RvNk8h/6cCO8&%3DPN3f%2Db/a
• 2015-01-07 15:25:20 UTC - 216.170.126.185 - POST /GFAsP/s3p+$/jAxM%2C/n~
• 2015-01-07 15:25:23 UTC - 216.170.126.185 - POST /3Sv/IP6/o%3DgH2%24%3FP~xs=A/rG1oPvjwa./q%3D%2C/=w8Q%24
• 2015-01-07 15:25:28 UTC - 82.9.68.126 - POST /kikeehhijbi@a/~%24%2Cifel%24c%2B+&a%3F.e%7E%2Dgjicgba%3F%26%3Fi%2C~../h_=~%26%2D
• And so on...

 

TCP CONNECTIONS ATTEMPTED, BUT RESET BY SERVER:

• 90.30.88.105:80
• 129.215.207.186:80
• 130.209.116.185:80
• 147.213.79.114:8000
• 179.43.141.164:80

 

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 194.146.136.1:8080 - ET TROJAN W32/Dridex POST CnC Beacon (sid:2019891)
• 216.170.126.185:80 - ET TROJAN Dridex Post Check-in Activity (sid:2020064)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor events):

• 193.136.19.160:8080 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 194.146.136.1:8080 - [1:32678:1] MALWARE-CNC Win.Trojan.Dridex variant outbound connection attempt

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - PCAP of the traffic (1 of 2):  2015-01-06-phishing-malware-run-on-VM.pcap.zip
• ZIP - PCAP of the traffic (2 of 2):  2015-01-07-phishing-malware-run-on-VM.pcap.zip
• ZIP - associated malware:  2015-01-06-and-2015-01-07-malware-examples.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.