Last Updated: 2014-12-01 17:48:11 UTC
by Johannes Ullrich (Version: 1)
This is a guest diary submitted by Brad Duncan.
During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, we'll examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware.
Various people have posted about Dridex  , and some sites like Dynamoo's blog  and TechHelpList  often report on these and other phishing campaigns.
Let's take a closer look at one of the November phishing waves.
On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe.
These messages had an HTML component, and some also had an image displaying a written signature.
After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled. Post-infection traffic began shortly after the download.
Shown above: infection traffic as seen in Wireshark.
Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) 
Shown above: events from Sguil in Security Onion.
File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 18.104.22.168/24 block. The following were samples were found:
Example of malicious Word document from 11 Nov 2014 phishing email:
Example of Dridex malware downloaded by the above Word document:
Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net