2015-04-15 - DRIDEX MALSPAM ABOUT FAILED WIRE TRANSFERS

ASSOCIATED FILES:

• ZIP - spreadsheet of emails and malware links:  2015-04-15-Dridex-email-info.csv.zip
• ZIP - spreadsheet of malware info and Virus Total/Malwr.com links:  2015-04-15-Dridex-malware-info.csv.zip
• ZIP - pcap of the infection traffi:  2015-04-15-Dridex-infection-traffic.pcap.zip
• ZIP - associated malware samples:  2015-04-15-Dridex-malware-samples.zip

 

NOTES:

• This particular Dridex run had links in the emails that were Google redirects to Dropbox URLs.
• See the above spreadsheets for examples of the links.

 

EMAILS

SCREENSHOT EXAMPLE:

 

EXAMPLES OF THE SUBJECT LINES:

• Aborted Domestic Wire payment (P4665571)
• Aborted Domestic Wire transfer (Z7361134)
• Aborted Wire payment (G2486139)
• Cancelled Domestic Wire payment (I5649242)
• Cancelled Domestic Wire transfer (T2548758)
• Denied Domestic Wire payment (A0466821)
• Denied Domestic Wire transfer (V0875467)
• Denied Wire transfer (U9911821)
• Rejected Domestic Wire payment (R4839145)
• Rejected Domestic Wire transfer (T0617091)
• Rejected Wire payment (D2862795)
• Rejected Wire transfer (F2447084)

 

EXAMPLES OF MALWARE FROM THE LINKS IN THE EMAILS:

• file name: TRANSFER 6262.scr - MD5 hash: 055ec8b8641f265a5d92f28340966cc4
• file name: WIRE TRANSFER 5161.scr - MD5 hash: 16a0c11f645e16297a353f160229ea02
• file name: RECENT WIRE PAYMENT 1073.scr - MD5 hash: 1a0dce2b29b56f45285e9b4fa15a78b0
• file name: RECENT WIRE TRANSFER 4187.scr - MD5 hash: 2c43148d6cf54decc830f35cd1003cac
• file name: TRANSFER 8879.scr - MD5 hash: 568b54d4548fe43d3b9be34011fdd7a1
• file name: WIRE TRANSFER 0078.scr - MD5 hash: 629ace2b622690bf52a8e646ece31174
• file name: WIRE PAYMENT 7854.scr - MD5 hash: 6d0734be8adcdcbe9338ef3d90bbf911
• file name: PAYMENT 8791.scr - MD5 hash: 79edb2e4b6d8530ef048d16d74ca2004
• file name: RECENT WIRE TRANSFER 2300.scr - MD5 hash: 8c4d60b8bed668b033784cbd3a830f0f
• file name: RECENT WIRE PAYMENT 6732.scr - MD5 hash: 94a86d50ffd4cbfb7262acbe9be2eb53
• file name: PAYMENT 5220.scr - MD5 hash: a64b18e46ea87abce4bf784d1b9a99c8
• file name: PAYMENT 9008.scr - MD5 hash: b718a978fb4f1727158834aae449b6f7
• file name: PAYMENT 8610.scr - MD5 hash: bd76ed5d4ff737d3c612bb8bac31b275
• file name: PAYMENT 7453.scr - MD5 hash: dc2888c271b715ccddf0ed8d490bae70
• file name: PAYMENT 5525.scr - MD5 hash: e5d0c45351a73b14e6e913263811948c
• file name: WIRE PAYMENT 5594.scr - MD5 hash: ec602668d681a13504b99adb6682ab19
• file name: WIRE TRANSFER 9012.scr - MD5 hash: fc208c52190bedc5e36b257e07d4ed81

 

INFECTION TRAFFIC

FROM MONITORING AN INFECTED HOST:

• 188.226.150.141 port 1443 - encrypted (TLS) traffic with certificate for srv1.mainsftdomain.com
• www.download.windowsupdate.com - GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab
• 136.243.237.199 port 80 - sfx.co - POST /qjwyg/1wFkvkEpUTt/fC%3D8si
• 136.243.237.199 port 80 - frvus.us - POST /i4Ck7/3%3DjhlLOq/l2rQTOzx/%3F9H=
• 136.243.237.199 port 80 - bgw.org - POST /fCrvS%26LBb8x.4/@rf$bC9JPLo/S6I6u%2DY/4%260f/%2DLs0lc
• 136.243.237.199 port 80 - kdhltfqwagdq.net - POST /KjVNAvlQxB%2BBf/Q6$+S2jbaR+1Mv%24Cx/CVv4rNx&yvWR
• 136.243.237.199 port 80 - kmmhlwd.net - POST /7Zn1SsLu_p%24S36T1FeqsLm_o%2CPfgs/UjE%2CRz%2BtP%24Bi%7E_/Rl1
• 136.243.237.199 port 80 - tdyzvswnkeqakoyo.com - POST /1XCOCKx5R6/y%2Dn%3F&=g=0bKoa~z%24A%24%241Lv/n%3F7+gq$+I9FsAnJFoSP6YS/zQl%2B
• 136.243.237.199 port 80 - uryqekjynzxvz.com - POST /BBJ4OuSgMiJ3rE%7E%2CQIJu9UE/x%3FSNUWxBB~S/kOJQQheJO=na0
• 136.243.237.199 port 80 - swxswcavpaxqmqyff.biz - POST /ujEY/ZQ%248Tr/S1QoL%7E
• 136.243.237.199 port 80 - ipplusnbnrrjkqzv.in - POST /xU/7ks0B@92/t9kQ/N%3DP.BQF/u/
• 136.243.237.199 port 80 - eevdmpbpyyqfyj.edu - POST /5stNGh/TFb%24TwY$4%24u+Vk/Q7Ji&oz%2DTn7SPhB$RAJ5sC
• 136.243.237.199 port 80 - lxgcgljn.edu - POST /FztGhxxF8%3D%2B%2De%2Dm_k3E%24i~hnAl2mxgz&9v%3F%7E0_/hiK5=q%26zvE6r8/ucj30%7E%24
• 136.243.237.199 port 80 - eikgkzorh.eu - POST /XrPwfxxr+B~ixjM/L++$Gl3K_tXS%7Ep$h4sY&/=pzaO1ofztyFJ/yrcaK%2D%2B
• 136.243.237.199 port 80 - nihaaju.in - POST /IsBG5UV/G1_nn8W~_WSI./K+~wSV3/~
• 136.243.237.199 port 80 - whyyrzmpuhgjmjjckd.com - POST /nuUs$H3YOs/ExOUYRs%3F5Mj%7E%2CI/SWhXaRtv/YNr3/0%24LzW
• 136.243.237.199 port 80 - dnbfz.me - POST /fgjh/fjih%7E%2C@%24%26c%24%3D.%2C%2Bj%24e%2C%24/%2B$$je/@gbi+~@=/s%2Cg%3F%2Bch
• 79.168.145.215 port 80 - mkcxmosff.me - POST /iSNams/RbqIAS4+kn/71q~%2BT

 

NOTES:

• I used PAYMENT 5220.scr (MD5 hash: a64b18e46ea87abce4bf784d1b9a99c8) to generate the above traffic.
• In another test environment with the same malware sample, I also got Dridex-style URLs to 213.138.124.13 and 79.168.145.215.

 

SNORT EVENTS

The only Dridex-specific alert I got was the following:

• 188.226.150.141 port 1443 - ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com (sid:2020866)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - spreadsheet of emails and malware links:  2015-04-15-Dridex-email-info.csv.zip
• ZIP - spreadsheet of malware info and Virus Total/Malwr.com links:  2015-04-15-Dridex-malware-info.csv.zip
• ZIP - pcap of the infection traffi:  2015-04-15-Dridex-infection-traffic.pcap.zip
• ZIP - associated malware samples:  2015-04-15-Dridex-malware-samples.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.