2018-02-05 - MALSPAM USING PDF ATTACHMENTS TO PUSH DRIDEX SINCE 2018-01-30

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES FROM TODAY:

• 2018-02-05-Dridex-malspam-tracker.csv.zip   1.0 kB (988 bytes)
• 2018-02-05-Dridex-emails-and-malware.zip   486.6 kB (486,597 bytes)
• 2018-02-05-Dridex-infection-traffic.pcap.zip   209.7 kB (209,694 bytes)

ASSOCIATED FILES FROM AN INFECTION ON 2018-01-30:

• 2018-01-30-Dridex-email-and-malware.zip   302.1 kB (302,125 bytes)
• 2018-01-30-Dridex-infection-traffic.pcap.zip   307.1 kB (307,077 bytes)

 

NOTES

• Since 2018-01-30, I've seen at least two waves of malspam using PDF files to push Dridex, and most of these PDF files showed zero detection in VirusTotal when I checked.
• The PDF files contain a link to a 7-zip archive, and the downloaded 7-zip archive contains a VBS file designed to infect Windows hosts with Dridex.
• URLs for these 7-zip archives are aware if you're coming from a VPN, which is the probably reason these PDF files had very low to zero detection.
• My Online Security has already posted information on today's wave here.
• These waves of malspam haven't been as wide-spread as I've seen before with Dridex.
• My archives from 2018-01-30 were part of a data dump I did on Friday 2018-02-02.  If you want those IOCs, you'll have to review the material in those zip files.
• See more notes in the post-infection forensics section below.

 

Shown above:  Spreadsheet tracker for today's Dridex malspam (1 of 2).

 

Shown above:  Spreadsheet tracker for today's Dridex malspam (2 of 2).

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• etlitttothen[.]com
• witsemehat[.]net
• hxxp[:]//atakan[.]com/98ygubyr5?
• hxxp[:]//fbl[.]com[.]sg/98ygubyr5?
• hxxp[:]//ferienimboden[.]com/98ygubyr5?
• hxxp[:]//hwayou[.]com[.]tw/98ygubyr5?
• hxxp[:]//techknowlogix[.]net/98ygubyr5?

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

DATA FROM 10 EMAIL SAMPLES:

• Date/Time: Monday 2018-02-05 as early as 14:19 through at least 17:00 UTC
• Received: from akcgrup[.]net ([185.65.246[.]142])

• From: "Althea Slimp" <Althea@sailslowdance[.]com>
• From: "Drew Larter" <Drew@sailslowdance[.]com>
• From: "Edith Harlock" <Edith@sailslowdance[.]com>
• From: "Fannie Wilkinson" <Fannie@sailslowdance[.]com>
• From: "Karin Kid" <Karin@sailslowdance[.]com>
• From: "Lorie Prior" <Lorie@sailslowdance[.]com>
• From: "Marietta Mclaughlin" <Marietta@sailslowdance[.]com>
• From: "Marlene Burke-roche" <Marlene@sailslowdance[.]com>
• From: "Nathaniel Lant" <Nathaniel@sailslowdance[.]com>
• From: "Stefanie Cockerall" <Stefanie@sailslowdance[.]com>

• Subject: SCAN_0502_ASGPVJ
• Subject: SCAN_0502_GDYHZYUN
• Subject: SCAN_0502_GYNUZ
• Subject: SCAN_0502_KGAOSNSE
• Subject: SCAN_0502_KUOQJ
• Subject: SCAN_0502_NQBQG
• Subject: SCAN_0502_PCFBB
• Subject: SCAN_0502_QUOEOPCV
• Subject: SCAN_0502_SSLYWTJF
• Subject: SCAN_0502_VIWHG

 

MALWARE

Shown above:  Downloading a 7-zip archive from one of the PDF attachments.

 

Shown above:  VBS file extracted from one of the downloaded 7-zip archives.

 

EMAIL ATTACHMENTS:

• d23d516fde33edb6986a53decaa3377f21bac5cc1602c4cef6caa98af472a5c5 - SCAN_0502_38DC4.pdf
• ed39236e0dc0aaec11ac46202ec587d7d505888e0fc151440fa7d72874416a16 - SCAN_0502_4F16.pdf
• 759082d5f352ba7c24de89ec079e89dca882bb1506c4231d4f175375afebfa84 - SCAN_0502_5AFA7.pdf
• 136cbad1799316ffb8a4050f0bc854a2d1d6d3b46e381e71448daf6dcc33d923 - SCAN_0502_8739.pdf
• ead747473d7737b06d820e2ebd4f2bc538cac19dee2b79baa558c2f2a65575de - SCAN_0502_A2B7.pdf
• 890a79251f62afee8a708e4e8dbee29d7f0c302c9a68a7ef40d0e45e15c99fdc - SCAN_0502_BB5D.pdf
• f90e5e027b4a3ca096651944ae0be8f3a3e03b7fbf7174fe73a9d8d35de05bb2 - SCAN_0502_CAB1.pdf
• 187eec96c7d722b2fa58f67c697a76f433808349c492b7542a56186f26e6309b - SCAN_0502_EA2EC.pdf
• a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9 - SCAN_0502_FA2C8.pdf
• c327f7f91d942fa146c474ee052f838ed1ab49ef25db6dfdcaff3c7a5f7ba0f4 - SCAN_0502_FF56B.pdf

DOWNLOADED 7-ZIP FILES FROM LINKS IN THE PDF ATTACHMENTS:

• 930a9c557eb6b4b9e80a91d908ca0eeb08f851b1914c4c649211c9c645623fdd - SCAN_0502_1ACC.7z
• 8460640601f85ac24ad60b9a503bfe647a703def0986c9c5fe40c460fd05e72e - SCAN_0502_2DFEF.7z
• 14b12b4adf81b8207fc31940d0cffabed5686e9eb9ee2f3738ba22eedc8b9009 - SCAN_0502_3AFC8.7z
• cd6fa97364b6394be5a684d4e0a84ae10b153353f547d3ccbc42ecdec4963c7c - SCAN_0502_3EBC.7z
• 4d94eaace3a28423dcd407ed0db253ee97a8285ef0ebb8350daebb347182b631 - SCAN_0502_4CC4E.7z
• 62fbb7ffabaec41485467b857656aa9fb7cde63ec8a4603298fb8ac967a3250b - SCAN_0502_5F27.7z
• 53e29c3aaa854b1825a0f01ed402d9898f41bdd9a24e0fd5d77251896ef6e4af - SCAN_0502_8A13.7z

VBS FILES EXTRACTED FROM THE 7-ZIP FILES:

• d4e8f4aecf366cb816fa50a6b4a73cb2547b35bf729afe070185a2b8092a1d09 - SCAN_0502_1ACC.vbs
• 9fb6121df8ce463a91e692d803634603ba8c164cb3652b442765759218f22468 - SCAN_0502_2DFEF.vbs
• 5048317d53581d12c29d0541f6a241870197d697da0163cbde68d212bf3624ad - SCAN_0502_3AFC8.vbs
• d892917dcb49caa17f6175fb0e2de2d4eefcd6c6c8782472ea46089f90fc1c2e - SCAN_0502_3EBC.vbs
• 5db433ea8ea3f5de437e60ae5173706a0494ca096f8d73f40b3afa5a27b7ca0a - SCAN_0502_4CC4E.vbs
• 2436d135a6307aad7c251f9fa2dc11509b1d4dfed90bc3d70a925d09321ae73e - SCAN_0502_5F27.vbs
• df14ddab7f4a41d1e0e8ca6ff46c7a31389d8d5a3713f6d4fec052059e8e1892 - SCAN_0502_8A13.vbs

DRIDEX SAMPLE RETRIEVED BY ONE OF THE VBS FILES:

• SHA256 hash: c94fe7b646b681ac85756b4ce7f85f4745a7b505f1a2215ba8b58375238bad10
  File size: 143,360 bytes
  File location: C:\Users\[username]\AppData\Local\Temp\XiPePavt.exe

 

TRAFFIC

Shown above:  Traffic from an infected host filtered in Wireshark.

 

URLS FROM THE PDF ATTACHMENTS TO DOWNLOAD THE 7-ZIP ARCHIVES:

• hxxp[:]//etlitttothen[.]com/info/SCAN_0502_1ACC.7z
• hxxp[:]//etlitttothen[.]com/info/SCAN_0502_2DFEF.7z
• hxxp[:]//etlitttothen[.]com/info/SCAN_0502_3AFC8.7z
• hxxp[:]//etlitttothen[.]com/info/SCAN_0502_3EBC.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_4CC4E.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_4CC4E.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_5F27.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_5F27.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_8A13.7z
• hxxp[:]//witsemehat[.]net/info/SCAN_0502_8A13.7z

URLS FROM THE EXTRACTED VBS FILES TO DOWNLOAD THE DRIDEX EXECUTABLE:

• hxxp[:]//atakan[.]com/98ygubyr5?
• hxxp[:]//fbl[.]com[.]sg/98ygubyr5?
• hxxp[:]//ferienimboden[.]com/98ygubyr5?
• hxxp[:]//hwayou[.]com[.]tw/98ygubyr5?
• hxxp[:]//techknowlogix[.]net/98ygubyr5?

• NOTE: The above URLs appear to be from legitimate but compromised websites.

DRIDEX POST-INFECTION SSL/TLS TRAFFIC:

• 60.124.4[.]241 port 443
• 110.5.5[.]184 port 443
• 115.29.6[.]138 port 443
• 205.185.117[.]108 port 4431

IP ADDRESSES FOR THE 7-ZIP DOWNLOAD DOMAINS:

• 212.92.98[.]171 port 80 - etlitttothen[.]com
• 212.92.98[.]171 port 80 - witsemehat[.]net

 

POST-INFECTION FORENSICS

I could not find any artifacts from my infected lab hosts.  The Dridex executable deleted itself and stayed resident in memory; however, after I rebooted, my lab hosts no longer showed any signs of infection.  This was true for both virtual and physical hosts.

Malware analysis from my employer shows the Dridex binary tried to keep the malware persistent, but any attempts to create these associated files failed.  The analysis also shows a scheduled task to keep the malware persistent, but I saw no scheduled tasks on my lab hosts.

I'm not sure if this is an issue with my lab environment, or if it's a problem with the Dridex binaries I've seen so far this year since 2018-01-25.

Shown above:  Part of the analysis on the Dridex sample from my employer's tools.

 

Click here to return to the main page.