2017-12-04 - DRIDEX IS BACK, BABY! - NECURS BOTNET MALSPAM PUSHES DRIDEX

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2017-12-04-Dridex-malspam-tracker.csv.zip   0.6 kB (634 bytes)
• Zip archive of the emails (all in one text file):  2017-12-04-emails-from-malspam-pushing-Dridex.txt.zip   3.5 kB (3,532 bytes)
• Zip archive of the traffic:  2017-12-04-Dridex-malspam-traffic.pcap.zip   437 kB (436,780 bytes)
• Zip archive of the malware and artifacts:  2017-12-04-artifacts-from-Dridex-malspam-infection.zip   1.5 MB (1,525,222 bytes)

 

NOTES:

• I haven't run across Dridex in a while.  The last time I documented it was on 2017-06-05.
• From what I can tell, these emails appear to be malicious spam (malspam) from the Necurs Botnet.
• However, this wave is separate from the other two waves of Necurs Botnet malspam pushing Globe Imposter ransomware today (link).
• This wave also seemed much more limited than those other waves of Necurs Botnet malspam.
• See below for more notes under "Forensics on an infected Windows host".

 

Shown above:  Some might say it never left.

 

Shown above:  Flowchart for these Dridex malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains/URLs:

• hxxp://protcuba.com/seadkhd.html
• hxxp://www.drpampe.com/sbaoejv.html
• hxxp://ssemanipur.com/fqslgci.html
• hxxp://tecclix.com/hgpniud.html
• tanbethinho.net
• hxxp://tci.seventhworld.com/Pkjfgw32
• hxxp://phonecenter24.de/Pkjfgw32
• hxxp://bawabetelbaik.com/Pkjfgw32
• hxxp://nrrgarment.com/Pkjfgw32

 

EMAILS

Shown above:  Screenshot from the email tracker.

 

Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Monday 2017-12-04 as early as 16:14 UTC through at least 20:46 UTC

• From:  "Jarvis Shanks" <sale@ronpaulradio.org>
• From:  "Ralph Brigham" <mail@hispanoylatinodeoro.org>
• From:  "Dana Riddell" <billing@usaescortsforthedisabled.net>
• From:  "Ignacio Barkman" <ale@mercati.mx>

• Subject:  Credit card payment

• Received: from ronpaulradio.org ([194.58.38.152])
• Received: from hispanoylatinodeoro.org ([134.0.118.143])
• Received: from usaescortsforthedisabled.net ([194.58.40.161])
• Received: from mercati.mx ([194.58.46.28])

 

Shown above:  Clicking on a link in one of the emails.

 

Shown above:  The downloaded Word document and embedded object.

 

Shown above:  Warning that pops up when you double-click the embedded object.

 

Shown above:  Embedded batch file running an HTML page when you click past the warning.

 

TRAFFIC

Shown above:  Network traffic from an infection filtered in Wireshark.

 

URLS FROM THE EMAILS:

• protcuba.com - GET /seadkhd.html
• www.drpampe.com - GET /sbaoejv.html
• ssemanipur.com - GET /fqslgci.html
• tecclix.com - GET /hgpniud.html

 

NETWORK TRAFFIC FROM MY LAB HOST:

• 64.29.151.221 port 80 - www.drpampe.com - GET /sbaoejv.html
• 47.254.17.41 port 80 - tanbethinho.net - GET /doc.php
• 192.185.57.176 port 80 - tci.seventhworld.com - GET /Pkjfgw32
• 91.92.136.107 port 443 - SSL/TLS traffic from Dridex-infected Windows host
• 178.18.125.1 port 4843 - SSL/TLS traffic from Dridex-infected Windows host
• 108.166.114.38 port 4443 - SSL/TLS traffic from Dridex-infected Windows host
• 107.170.65.224 port 4143 - SSL/TLS traffic from Dridex-infected Windows host

 

ADDITIONAL URLS TO GRAB THE DRIDEX INSTALLER:

• phonecenter24.de - GET /Pkjfgw32
• bawabetelbaik.com - GET /Pkjfgw32
• nrrgarment.com - GET /Pkjfgw32

 

Shown above:  Redirect after clicking link from the email.

 

Shown above:  HTTP GET request to tanbehtinho.net returns the malicious Word document.

 

Shown above:  HTTP GET request that returned the Dridex installer.

 

Shown above:  SSL/TLS traffic to non-standard port with Dridex-style certificate data.

 

Shown above:  Some alerts from Sguil in Security Onion using Suricata and the EmergingThreats ruleset.

 

FORENSICS ON AN INFECTED WINDOWS HOST

The Dridex infection was kept persistent through a scheduled task.  The associated EXE and DLL files were in a directory under C:\Windows\System32 that had 4 random digits in the directory name.  These binaries (EXE, DLL files) changed each time I rebooted the computer.  See the images below for details.

 

Shown above:  Example of a scheduled task on the infected Windows host in my lab.

 

Shown above:  The same scheduled task and associated malware after I re-booted my infected Windows host in my lab.

 

Shown above:  And it changed yet again when I rebooted it.

 

MALWARE

DOWNLOADED WORD DOCUMENT:

• SHA256 hash:  82ef489c25708e1d9153ebab0717449c52d2e9f679788327fd8d5e2aaf7cab24
  File size:  230,759 bytes
  File name:  Payment_[random numbers].doc

 

DRIDEX INSTALLER:

• SHA256 hash:  daab430bb5771eaa7af0fbd3417604e8af5f4693099a6393a4dc3b440863bced
  File size:  135,168 bytes
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Templates\[random numbers].exe

 

ARTIFACTS ON THE INFECTED HOST:

• SHA256 hash:  e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
  File size:  15,360 bytes
  File location:  C:\Windows\System32\3352\tcmsetup.exe
  File description:  Not inherently malicious, Identified as #goodware #whitelist on VT in 2013.  Probably used to load any file named TAPI32.DLL located in the same directory.

• SHA256 hash:  c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
  File size:  bytes
  File location:  C:\Windows\System32\4761\SystemPropertiesDataExecutionPrevention.exe
  File description:  Not inherently malicious, Identified as #goodware #whitelist on VT in 2013.  Probably used to load any file named SYSDM.CPL located in the same directory.

• SHA256 hash:  0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
  File size:  82,432 bytes
  File location:  C:\Windows\System32\6278\SystemPropertiesComputerName.exe
  File description:  Not inherently malicious, Identified as #goodware #whitelist on VT in 2013.  Probably used to load any file named SYSDM.CPL located in the same directory.

• SHA256 hash:  cc7bf59c7dd0a0a0697c3e0d0fa0413965d24641ed151e36e1cb514e3e949c44
  File size:  483,328 bytes
  File location:  C:\Windows\System32\3352\TAPI32.dll
  File description: Malicious DLL (Dridex) loaded by non-malicious file: tcmsetup.exe

• SHA256 hash:  62a17e2bdc4d3d031683bdfa0f3d90c914073374f4696c548fac400fb0023547
  File size:  471,040 bytes
  File location:  C:\Windows\System32\4761\SYSDM.CPL
  File description: Malicious DLL (Dridex) loaded by non-malicious file: SystemPropertiesDataExecutionPrevention.exe

• SHA256 hash:  f5e76cb8f763f93e243f0361d4c8c736e9fb90dfe4c63bd2a33851ac0450ffb3
  File size:  692,224 bytes
  File location:  C:\Windows\System32\6278\SYSDM.CPL
  File description: Malicious DLL (Dridex) loaded by non-malicious file: SystemPropertiesComputerName.exe

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the spreadsheet tracker:  2017-12-04-Dridex-malspam-tracker.csv.zip   0.6 kB (634 bytes)
• Zip archive of the emails (all in one text file):  2017-12-04-emails-from-malspam-pushing-Dridex.txt.zip   3.5 kB (3,532 bytes)
• Zip archive of the traffic:  2017-12-04-Dridex-malspam-traffic.pcap.zip   437 kB (436,780 bytes)
• Zip archive of the malware and artifacts:  2017-12-04-artifacts-from-Dridex-malspam-infection.zip   1.5 MB (1,525,222 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.