-
Notifications
You must be signed in to change notification settings - Fork 11
/
2020-09-07-IOCs-for-Dridex-infection.txt
141 lines (117 loc) · 6.6 KB
/
2020-09-07-IOCs-for-Dridex-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
2020-09-07 (MONDAY) - MALSPAM WITH XLS ATTACHMENT HAS MACRO TO PUSH DRIDEX
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1303781746702508032
NOTES:
- After being absent for approximately one month, we started seeing examples of the Cutwail botnet
sending malicious spam (malspam) pushing Dridex again on Monday 2020-09-07.
- Additional Cutail malspam pushing Dridex (with different indicators/files/URLs/etc) has been
reported as of Tuesday 2020-09-08.
EMAIL HEADERS FROM MALSPAM EXAMPLE:
Received: from static-ip-1868148155.cable.net.co ([186.81.48.155])
by [removed] for [removed]; Mon, 07 Sep 2020 10:31:43 -0700
X-RC-FROM: <[email protected]>
X-RC-RCPT: [removed]
Received: from [216.44.195.151] (account [email protected] HELO tc.ge.pje44093.sac.fedex.com)
by static-ip-1868148155.cable.net.co (Exim 4.89)
with ESMTPA id eEcFf7Fa for [removed]; Mon, 7 Sep 2020 12:31:44 -0500
Received: from ([103.94.107.77]) by static-ip-1868148155.cable.net.co with SMTP id
D41C734C60; Mon, 7 Sep 2020 12:31:44 -0500
Date: Mon, 7 Sep 2020 12:31:44 -0500
From: Derek Rose <[email protected]>
Reply-To: Derek Rose <[email protected]>
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
Subject: copy of Invoice
ATTACHMENT INFO:
- SHA256 hash: a46b5d45d8ec0fd6f943d694fc9c42d7ae72d33122fb4c0e790d420c1bb53204
- File size: 65,536 bytes
- File name: 20200907_135061.xls
- File description: XLS file with macros for Dridex
URL FROM AT LEAST 40 POSSIBLE URLS GENERATED BY WORD MACRO FOR DRIDEX INSTALLER DLL:
- hxxps://amaimaging[.]net/wp-content/rjkthgowertgoiwe.zip
- hxxps://agencia[.]fal[.]cl/wp-includes/njdfhgeroig.rar
- hxxps://armomaq[.]com/site/ssfisjgniwerg.pdf
- hxxps://axalta[.]grupojenrab[.]mx/wp-admin/ssfisjgniwerg.pdf
- hxxps://bombshellshow[.]me/wp-content/jdfggo.rar
- hxxps://businessquest[.]com.my/schedule/jdfggo.rar
- hxxps://construtorahabite[.]com.br/wpadmin/rjkthgowertgoiwe.zip
- hxxps://coomiponal[.]com/simulador/zxc.zip
- hxxps://discuss[.]ojowa[.]com/themes/wowonder/javascript/tinymce/js/dkfjgbji.gif
- hxxps://eb3tly[.]online/njdfhgeroig.rar
- hxxps://eduserve[.]sezibwa[.]com/images/njdfhgeroig.rar
- hxxps://emyhope[.]com/wp-content/plugins/jetpack/_inc/blocks/84348fh34hf.pdf
- hxxps://etsp[.]org[.]pk/uploads/jdfggo.rar
- hxxps://getsolar4zerodown[.]info/djfhgeh.pdf
- hxxps://glowtank[.]in/js/ssfisjgniwerg.pdf
- hxxps://heraldfashion[.]store/wp-admin/zxc.zip
- hxxps://idklearningcentre[.]com.ng/wp/wp-content/plugins/jetpack/3rd-party/dkfjgbji.gif
- hxxps://igpublica[.]com.br/asset/zxc.zip
- hxxps://inkrites[.]com/wp-content/themes/zerif-lite/ti-prevdem/img/84348fh34hf.pdf
- hxxps://karyagrafis[.]com/njdfhgeroig.rar
- hxxps://leandrokblo[.]com/wp-content/plugins/w3-total-cache/ini/apache_conf/dkfjgbji.gif
- hxxps://leboudoirstquayportrieux[.]fr/image/ssfisjgniwerg.pdf
- hxxps://maisaquihost[.]com[.]br/teste/rjkthgowertgoiwe.zip
- hxxps://manogyam[.]com/storage/njdfhgeroig.rar
- hxxps://mcciorar[.]iglesiamcci[.]cl/njdfhgeroig.rar
- hxxps://medszoo[.]in/jdfggo.rar
- hxxps://minsann[.]se/NewFolder/ad/style/theme/upload/84348fh34hf.pdf
- hxxps://neocuboarquitetura[.]com.br/viewer/ssfisjgniwerg.pdf
- hxxps://pharmacy[.]binarybizz[.]com/vendor/njdfhgeroig.rar
- hxxps://properties[.]igpublica[.]com.br/excelPo/rjkthgowertgoiwe.zip
- hxxps://quiz[.]walkprints[.]com/wp-includes/js/tinymce/themes/inlite/84348fh34hf.pdf
- hxxps://radiantmso[.]com/wp-content/plugins/smart-slider-3/library/media/dkfjgbji.gif
- hxxps://siebuhr[.]com/pmosker/zxc.zip
- hxxps://sjoeberg[.]nu/a/jdfggo.rar
- hxxps://speakerpedia[.]in/images/zxc.zip
- hxxps://sweepegy[.]com/djfhgeh.pdf
- hxxps://tallermecanicoyllantera[.]grupojenrab[.]mx/wp-admin/rjkthgowertgoiwe.zip
- hxxps://timamollo.co.za/sitepro/jdfggo.rar
- hxxps://glowtank.in/js/ssfisjgniwerg.pdf
- hxxps://vyvanse.co/auth14/zxc.zip
RUN METHOD FOR DRIDEX INSTALLER DLL FILES:
- regsvr32.exe -s [file location].
10 EXAMPLES OF LOCATIONS FOR DRIDEX INSTALLER DLL FILES:
- regsvr32.exe -s C:\XMkkdsZZ\PUBWNG\RNidR2AF.
- regsvr32.exe -s C:\Xvnau9kk\vlAShMf\w2lhlvL.
- regsvr32.exe -s C:\Xd6sfzNp\SqFXmRk\T7qme40.
- regsvr32.exe -s C:\XvI7AP77\g8Xj4d2i\x84wFBc7.
- regsvr32.exe -s C:\XZxja5gf\4hfdIbN\EhdtqGg.
- regsvr32.exe -s C:\XpB4rh11\G2Rdy6ci\TyqzIT.
- regsvr32.exe -s C:\X0NTGUzu\Mk9i8nt\FeGhGhc.
- regsvr32.exe -s C:\XKhZMapW\JXxg9R6\CTKfb7Wz.
- regsvr32.exe -s C:\X9MhbII7\Nj1FvD06\GG0TuIm.
- regsvr32.exe -s C:\XBFEYhON\zOp7K1\vQLCbzO.
EXAMPLE OF DRIDEX INSTALLER DLL:
- SHA256 hash: c22118ef67c9a5f09edab92cecb2c4f03768922373b1078c6a8a3b3418e1efe3
- File size: 335,872 bytes
- File location: hxxps://construtorahabite[.]com.br/wpadmin/rjkthgowertgoiwe.zip
- File location: C:\XUseXl0b\OaJ2ENt\5VqlBbnN
- File description: DLL file retrieved by XLS macros, used to install Dridex
3 LOCATIONS WHERE DRIDEX WAS PERSISTENT ON AN INFECTED WINDOWS HOST IN OUR LAB:
- SHA256 hash: 733f1f153f1ac4de67d435e48a585c8acc9d5701ac1869fb55fadc23e9358d69
- File size: 1,013,760 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Document Themes\1kNIz\VERSION.dll
- File description: Dridex DLL run by copy of legitimate system file sigverif.exe in the same directory, made persistent through a Windows registry update
- SHA256 hash: b7982ba52fa405eb15db53c75390e820a030e64147d236f090c2d21cf0865922
- File size: 1,015,296 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Internet Explorer\UserData\Jov5Cwf8Pz3\FVEWIZ.dll
- File description: Dridex DLL run by copy of legitimate system file BitLockerWizard.exe in the same directory, persistent through a scheduled task
- SHA256 hash: 292082e29db3264946e3e6aa1c42e929a76cb3ad4a9a0299d9a881f429c29935
- File size: 1,295,872 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Templates\Kf\DUI70.dll
- File description: Dridex DLL run by copy of legitimate system file msdt.exe in the same directory, persistent through a startup menu shortcut
POST-INFECTION HTTPS TRAFFIC FROM DRIDEX-INFECTED HOST:
- 45.79.8[.]25 port 443 - HTTPS traffic (certificate issuer data follows):
-- id-at-countryName=DE
-- id-at-stateOrProvinceName=Sheso thanthefo
-- id-at-localityName=Berlin
-- id-at-organizationName=Thedelor Tbrra SICAV
-- id-at-organizationalUnitName=5Coiesily Begtherdr istwarscon
-- id-at-commonName=Bath7epran.toshiba
- 54.39.34[.]26 port 453 - HTTPS traffic (certificate issuer data follows):
-- id-at-countryName=TR
-- id-at-stateOrProvinceName=Thereb
-- id-at-localityName=Ankara
-- id-at-organizationName=Atercon Urlelgrks SAS
-- id-at-organizationalUnitName=4ondmusepr and Omibyndtr
-- id-at-commonName=Mecri.swenw.tube