2017-04-19 - DRIDEX MALSPAM WITH PDF ATTACHMENTS CONTAINING EMBEDDED WORD DOCS

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2017-04-19-Dridex-malspam-traffic-example.pcap.zip   1.4 MB (1,432,799 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-19-Dridex-malspam-tracker.csv.zip   1.6 kB (1,572 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-19-Dridex-malspam-and-artifacts.zip   3.8 MB (3,802,715 bytes)

BACKGROUND ON THIS CAMPAIGN:

• After a 6-month hiatus, Dridex malspam came back in January 2017 (link), but I hadn't personally run across any Dridex until 2017-03-30.
• Since that time, mass-distribution Dridex has been on again/off again, with some malspam runs featuring a former Microsoft zero-day exploit for CVE-2017-0199 (link).
• Unfortunately, I haven't seen any of those emails with exploits based on CVE-2017-0199.
• I've only occasionally seen today's sort of malspam, with PDF attachments having embedded Word documents.
• You must enable macros on those embedded Word documents before an infection can occur.

 

Shown above:  Screenshot of today's Dridex malspam tracker.

 

EMAILS

Shown above:  Example of an email from the 1st wave of Dridex malspam.

 

Shown above:  Example of an email from the 2nd wave of Dridex malspam.

 

FIRST WAVE:

• Date/Time:  Wednesday 2017-04-19 as early as 10:26 UTC through at least 12:49 UTC
• From:  no-reply@123-reg.co.uk
• Subject:  Copy of your 123-reg invoice ( 123-456789012 )   [number changes for each message]
• Attachment name:  123-456789012-reg-invoice.pdf   [number matches subject line]

SECOND WAVE:

• Date/Time:  Wednesday 2017-04-19 as early as 14:30 UTC through at least 15:16 UTC
• From:  canon@[recipeint's email domain]
• From:  MFD@[recipeint's email domain]
• From:  xerox@[recipeint's email domain]
• Subject:  Scanned Image from a Xerox WorkCentre
• Attachment name:  Scan_[3 to 4 digits]_[10 digits].pdf

 

Shown above:  How attachments from both waves of malspam behave.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  More Wireshark filtering shows attempted TCP connections by the infected host.

 

URLS TO RETRIEVE DRIDEX FROM THE WORD DOCUMENT MACROS:

• barkave.comcastbiz.net - GET /6gfd43
• barrets.com.br - GET /6gfd43
• carterfabricationsinc.comcastbiz.net - GET /6gfd43
• cleck.comcastbiz.net - GET /6gfd43
• dbrose.com - GET /6gfd43
• drsketchy.ph - GET /6gfd43
• explorer.comcastbiz.net - GET /6gfd43
• gth.co.uk - GET /6gfd43
• hammis.com - GET /6gfd43
• hawgshackcycles.comcastbiz.net - GET /6gfd43
• integritycomputers.biz - GET /6gfd43
• jeanevermore.com - GET /6gfd43
• jure.cl - GET /6gfd43
• keane-hypnotherapy.com - GET /6gfd43
• mayod.net - GET /6gfd43
• michaelflood.comcastbiz.net - GET /6gfd43
• murrellswaterproofing.com - GET /6gfd43
• narucom.com - GET /6gfd43
• ormagraphica.it - GET /6gfd43
• pierreleroy.net - GET /6gfd43
• steve-b.com - GET /6gfd43
• thefatdude.co.uk - GET /6gfd43
• twotime.comcastbiz.net - GET /6gfd43
• webrus.net - GET /6gfd43

 

INFECTING A WINDOWS HOST BY ENABLING MACROS ON THE EMBEDDED WORD DOCUMENT:

• 216.117.150.240 port 80 - jeanevermore.com GET - GET /6gfd43
• 216.177.132.93 port 4143 - HTTPS/SSL/TLS traffic with Dridex-associated certifcate
• 203.206.230.127 port 443 - HTTPS/SSL/TLS traffic with Dridex-associated certifcate

 

OTHER ATTEMPTED TCP CONNECTIONS FROM THE INFECTED HOST:

• 2.220.229.217 port 443
• 66.214.155.189 port 443
• 86.26.134.210 port 443
• 92.29.196.119 port 443
• 104.162.69.154 port 443
• 109.170.219.19 port 443
• 154.0.173.188 port 443
• 175.33.53.77 port 443
• 190.12.10.94 port 443
• 196.42.9.214 port 443

 

MALWARE

SHA256 HASHES FOR THE ATTACHED PDF FILES:

• 05dd48c95e4e1b81786f9a3f4fcb7a41cc311f55ea8ecddd7f6e859df636e3ca
• 2e9c00a2068a594bef50ac27c0f90e4640689fb6ef1173641220f57b09c47e18
• 37b7487ca7cb16b973e35b3afc63202035bb53d04d15b2150fb5754cb334492e
• 44a7a6e85201a73a35b63c7d0e36320b52dd9023cdea50f8c551687398244c37
• 48c3d56e55697eae003c953f1830e76412241d147aa7ac2231eb39c9f3a266fc
• 4bd1cdd02acc8bd849617120e526c412acd026b92e63438c58a637122eddb634
• 6af64a4869c248ad84d07f0effd7a192d6d63844b5841869ffa9fb993d96482b
• 73a89bcbf9b8176f4acafc2b4b4ad5d145d00c30c436eabf996a640accb15789
• 7460aedf462c05480f036c4d7f5958254208a8cb3db6b1028edb0100717ebc73
• 77afe8ea7a346f93d226245df36907d414052896fdd1a7f03f58621239991859
• 9e1f83c6d7957302282f35d3188c82631d27bab8614120d8fc1a5a75121b69c5
• bedcb0aaf08b9730fd758f8fc803e2d44530eb03e41a68552bcdaf9965915ed1
• c7788d23647fa3a7f488a66d0ecd0263432e2d528939db1cdbe67865feec220f

 

SHA256 HASHES FOR WORD DOCUMENTS EMBEDDED IN THOSE PDF FILES:

• 2b69fd2f9c8752487979c4dceb167a6fca47c462304ec3ca4f2892959fd66b7f
• 5376e3d22a581353cd6edfc9cc27746c558e8749cec5734e93b22ff5e7e5854d
• 61a97941f79d6de863f3f539f64d15b6dfa97e27450e41df03c569c43e0dcbf4
• 710068bcc78b498cde513b3aec41532ffb1bd0587f05e3cdac05e3256ffd5d24
• 864fae08d1db98f1b85df2a5e5523253f1f00eb2d576b38c7591c1985e9b8e63
• 92dd9711f6c6d213df7cfe1b0b1302b685c893e57c246f39bc99aec8db91c0e0
• 9a0f58b63e18003b3e6248115ee1eced2fd4d6a746902eb47ab16ea41ddcec94
• 9f62445b29957ebce2adeca845f412a1c1c67f14eb65a43c7a90e15fc5877e7b
• a1f8cee16dc73af43164f2997ddfb2939c7e928fd85899d4d784d9c7a283f677
• b01e1a7d9949b90eccbfc5c2b757739f5f03dc0884af5675956d3a3b95df8bd4
• d4a36a990b6a82c8c924177ba6c79ba6c3ce1bc9ad2f191aa206ed0e9b9f2b0e
• f74c197bc0a4d3e8c7e477b35b1a2596160722d506969b7322a7326c6c5e8c70
• fa96716253d79a8a2b77dbaad32632e613f2b5dff494c37bb1cc22eeab629299

 

ARTIFACTS FROM AN INFECTED WINDOWS HOST:

• C:\Users\[removed]\AppData\Local\Temp\cAgE.cmd     [Windows command shell script]
• C:\Users\[removed]\AppData\Local\Temp\ferbys2     [encrypted Dridex binary]
• C:\Users\[removed]\AppData\Local\Temp\redchip2.exe     [decrypted Dridex binary]
• C:\Users\[removed]\AppData\Roaming\GmB8Yb\OLEACC.dll     [other artifact found on the infected host]
• C:\Users\[removed]\AppData\Roaming\GmB8Yb\SnippingTool.exe     [copy of legitimate Windows Snipping Tool executable]

 

DRIDEX EXECUTABLE:

• SHA256 hash:  760390f07cefafadece0638a643d69964433041abeab09b65bfcdb922c047872
  File size:   151,552 bytes
  File location:  C:\Users\[removed]\AppData\Local\Temp\redchip2.exe

 

OTHER ARTIFACTS FROM THE INFECTED HOST:

• SHA256 hash:  2c9e1e1ed5743d4ab67e1902ab3dbd3c577bb7cdaed3d47619455314700377c3
  File size:   442,368 bytes
  File location:  C:\Users\[removed]\AppData\Roaming\GmB8Yb\OLEACC.dll

• SHA256 hash:  890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
  File size:   431,104 bytes
  File location:  C:\Users\[removed]\AppData\Roaming\GmB8Yb\SnippingTool.exe
File description:  A legitimate executable (Windows Snipping Tool) copied to this directory...  Not actual malware.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2017-04-19-Dridex-malspam-traffic-example.pcap.zip   1.4 MB (1,432,799 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-19-Dridex-malspam-tracker.csv.zip   1.6 kB (1,572 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-19-Dridex-malspam-and-artifacts.zip   3.8 MB (3,802,715 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.