This is a guest diary submitted by Brad Duncan. During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, we'll examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware. Various people have posted about Dridex [1] [2], and some sites like Dynamoo's blog [3] and TechHelpList [4] often report on these and other phishing campaigns. Let's take a closer look at one of the November phishing waves. On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line. This appeared to be a botnet-based campaign from compromised hosts at various locations across the globe. These messages had an HTML component, and some also had an image displaying a written signature. After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled. Post-infection traffic began shortly after the download. Shown above: infection traffic as seen in Wireshark. Monitoring the infection traffic on Security Onion, we found alerts for Dridex traffic from the EmergingThreats signature set (ET TROJAN Dridex POST Checkin) [5] Shown above: events from Sguil in Security Onion. File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block. The following were samples were found: Example of malicious Word document from 11 Nov 2014 phishing email: https://malwr.com/analysis/M2M2ZDQxM2M2NzFhNDllZDhjMjQzMjAyYzRkNWZhYTA/ Example of Dridex malware downloaded by the above Word document: https://malwr.com/analysis/YzA3ZDY0ODE2ZjY5NDE3NTlhZjkyNTg3NTIwNDljM2I/ References: [1] http://stopmalvertising.com/malware-reports/analysis-of-dridex-cridex-feodo-bugat.html ---------- |
Johannes 4037 Posts ISC Handler Dec 1st 2014 |
Thread locked Subscribe |
Dec 1st 2014 6 years ago |
A nice write up.
|
Steve 2 Posts |
Quote |
Dec 1st 2014 6 years ago |
Thanks!
|
Brad 386 Posts ISC Handler |
Quote |
Dec 1st 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!