2020-09-24 - FEDEX-THEMED MALSPAM WITH LINKS FOR DRIDEX

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2020-09-24-Dridex-IOCs.txt.zip   3.3 kB   (3,289 bytes)

• 2020-09-24-Dridex-IOCs.txt   (8,863 bytes)

• 2020-09-24-Dridex-malspam-20-examples.zip   66.9 kB   (66,866 bytes)

• 2020-09-24-Dridex-malspam-example-01.txt   (26,154 bytes)
• 2020-09-24-Dridex-malspam-example-02.txt   (26,203 bytes)
• 2020-09-24-Dridex-malspam-example-03.txt   (25,865 bytes)
• 2020-09-24-Dridex-malspam-example-04.txt   (25,898 bytes)
• 2020-09-24-Dridex-malspam-example-05.txt   (25,933 bytes)
• 2020-09-24-Dridex-malspam-example-06.txt   (26,122 bytes)
• 2020-09-24-Dridex-malspam-example-07.txt   (26,324 bytes)
• 2020-09-24-Dridex-malspam-example-08.txt   (25,999 bytes)
• 2020-09-24-Dridex-malspam-example-09.txt   (26,026 bytes)
• 2020-09-24-Dridex-malspam-example-10.txt   (25,960 bytes)
• 2020-09-24-Dridex-malspam-example-11.txt   (26,191 bytes)
• 2020-09-24-Dridex-malspam-example-12.txt   (26,169 bytes)
• 2020-09-24-Dridex-malspam-example-13.txt   (26,036 bytes)
• 2020-09-24-Dridex-malspam-example-14.txt   (26,129 bytes)
• 2020-09-24-Dridex-malspam-example-15.txt   (26,325 bytes)
• 2020-09-24-Dridex-malspam-example-16.txt   (26,103 bytes)
• 2020-09-24-Dridex-malspam-example-17.txt   (26,147 bytes)
• 2020-09-24-Dridex-malspam-example-18.txt   (26,124 bytes)
• 2020-09-24-Dridex-malspam-example-19.txt   (26,283 bytes)
• 2020-09-24-Dridex-malspam-example-20.txt   (26,137 bytes)

• 2020-09-24-Dridex-infection.pcap.zip   3.7 MB   (3,724,986 bytes)

• 2020-09-24-Dridex-infection.pcap   (4,024,036 bytes)

• 2020-09-24-Dridex-malware-and-artifacts.zip   4.0 MB   (4,040,203 bytes)

• 2020-09-24-registry-update-for-Dridex.txt   (674 bytes)
• 2020-09-24-scheduled-task-for-Dridex.txt   (4,024 bytes)
• 2020-09-24-startup-menu-shortcut-for-Dridex.bin   (1,313 bytes)
• Ref_Sept24-2020.scr   (752,259 bytes)
• Ref_Sept24-2020.zip   (605,223 bytes)
• bAjTITeLwTk/ACTIVEDS.dll   (1,009,152 bytes)
• bAjTITeLwTk/ApplySettingsTemplateCatalog.exe   (1,138,176 bytes)
• elWt7G/VERSION.dll   (1,009,152 bytes)
• elWt7G/ie4uinit.exe   (238,080 bytes)
• i0m/DUI70.dll   (1,291,264 bytes)
• i0m/DmNotificationBroker.exe   (32,768 bytes)

 

IMAGES

Shown above:  Screenshot from one of the malspam examples.

 

Shown above:  Manually downloading zip archive from one of the links (used HTTP instead of HTTPS).

 

Shown above:  Windows EXE file disguised as an SCR file extracted from the zip archive.

 

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  HTTP stream shows script returned from one of the malspam URLs.

 

Shown above:  Over 800kB of text is converted by the script to a zip file that's downloaded.

 

Shown above:  Certificate issuer data from DridexHTTPS traffic on 151.236.219[.]181.

 

Shown above:  Certificate issuer data from Dridex HTTPS traffic on 62.98.109[.]30.

 

Shown above:  Copy of legitimate system file used to load Dridex DLL (1 of 3).

 

Shown above:  Copy of legitimate system file used to load Dridex DLL (2 of 3).

 

Shown above:  Copy of legitimate system file used to load Dridex DLL (3 of 3).

 

Click here to return to the main page.