Dridex Down Under

<p>
Raytheon | Websense&reg;&nbsp;Security Labs&trade; has been tracking malicious email campaigns associated with the Dridex banking Trojan since 2014. An interesting development this past week was a regional move to target Australia. Dridex botnet 220 related email were being sent to potential victims in the land down under. This is a change from the recent months, when Dridex botnet 220 campaigns have displayed a heavy bias towards U.K.-based potential victims.&nbsp;</p>

<p>
The focus on Australia in the email lure targeting was further confirmed by analysis of the botnet configuration file. The configuration file downloaded by infected computers included directions to take &quot;Clickshots&quot; when potential victims access certain Australian banking websites.</p>

<p>
Raytheon | Websense customers&nbsp;are protected against this threat via real-time&nbsp;analytics with ACE,&nbsp;the Websense&nbsp;<a href="http://www.websense.com/content/websense-advanced-classification-engine.... rel="nofollow" target="_blank">Advanced Classification Engine</a>, at the different&nbsp;<a href="http://www.websense.com/content/seven-stages-recon.aspx?cmpid=slbl" rel="nofollow" target="_blank">stages</a>&nbsp;of the attack detailed below:&nbsp;</p>

<ul>
<li>
Stage 2 (Lure) - ACE has protection against the malicious email sent to targets.</li>
<li>
Stage 5 (Dropper) - ACE has protection against the malicious doc files and the malware files.</li>
<li>
Stage 6 (Call Home) - ACE has live, real-time protection against the malicious traffic generated by the malware associated with this threat.</li>
</ul>

<h2>
Email Lures</h2>

<p>
The email lures were rudimentary in content. One campaign was spoofing the target domain in the sender. The other used the email address of a property management company as the sender (the company subsequently issued a warning on&nbsp;its website).</p>

<p>
Sender: konica@&lt;targetdomain&gt;</p>

<p>
Subject: Message from KMBT_C252</p>

<p>
Attachment: SKMBT_C25213120613510.doc</p>

<p>
<img alt="Message from KMBT - Screenshot" src="/sites/default/files/blog/legacy/security-labs/8037.dridex_220_lure_message_from_kmbt_c252.png-550x0.png" style="height:321px; width:549px" /></p>

<p>
Sender: @posei.com.au</p>

<p>
Subject: November 2015 T</p>

<p>
Tax Invoice Attachment: November_2015_Tax_Invoice_3903_001.doc OR 3903_001.doc</p>

<p>
<img alt="November Tax Invoice Screenshot" src="/sites/default/files/blog/legacy/security-labs/1172.dridex_220_lure_november_2015_tax_invoice.png-550x0.png" style="height:321px; width:549px" /></p>

<h2>
Malicious Doc Attachments</h2>

<p>
As is typical of&nbsp;Dridex botnet 220-related email campaigns (and Shifu-related email campaigns as well, see our previous blog&nbsp;<a href="http://blogs.websense.com/security-labs/japanese-banking-trojan-shifu-di...),&nbsp;the messages carried an MS-Word doc file, which contained an obfuscated macro that attempted to download an executable from one of these URLs:</p>

<p>
hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://aabisolution[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe</p>

<p>
The executable is the Dridex loader, which then injects the Dridex DLL into the Windows Explorer process.&nbsp;</p>

<p>
The attachments are detected by the&nbsp;TRITON File Sandbox&nbsp;as malicious:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/6712.file_sandbox_report1.png-550x0.png" style="height:191px; width:550px" /></p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/5344.file_sandbox_report2.png-550x0.png" style="height:363px; width:550px" /></p>

<h2>
Target Spread</h2>

<p>
When we examine these two specific campaigns via&nbsp;Raytheon | Websense&nbsp;TRITON&reg;&nbsp;APX reporting, we can see that more than 650,000 of these messages were stopped in the&nbsp;Raytheon | Websense cloud and hybrid email environment. Slicing up by recipient top-level domain (TLD) shows a heavy bias of these campaigns towards Australian potential victims.</p>

<p>
In fact, 99.91% were sent to recipients with addresses that had .au country code.</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/8371.dridex_220_2015_11_04_rcpt_tld_1.png-550x0.png" style="height:633px; width:550px" /></p>

<h2>
Botnet Configuration File</h2>

<p>
A few minutes after infecting a victim, the Dridex Trojan downloads a full configuration file from one of the Command &amp; Control nodes. The configuration file contains various sections informing the Trojan of what techniques to use in order to collect credentials from different websites. One of the techniques used is a form of taking a screenshot that&#39;s referred to as &quot;Clickshot.&quot; This is applied to certain websites where other techniques such as&nbsp;HTTP injection or form grabbing are not effective.</p>

<p>
The Clickshot logic includes number of clicks and vertical and horizontal range to define an area around the mouse. This is done to defeat virtual keyboard security. By taking a series of screenshots in a small area around the mouse cursor, the cyber-criminals are hoping to grab the login credentials.</p>

<p>
When examining the section below, we can see, that among other targets, users browsing to Australian banking sites will have their login transactions recorded by &quot;Clickshots.&quot;</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/0486.dridex_220_config_2015_11_04_clickshots_blur.png-550x0.png" style="height:249px; width:550px" /></p>

<h2>
Summary</h2>

<p>
We can see that recent reports of Dridex&#39;s death have been greatly exaggerated, with several botnets in operation (120/121, 301, and 220). Regional shifts expansions are to be expected from time to time, although it was unique to see botnet 220 making the shift. Historically, botnet 120-related campaigns were used with more specific regional focus (such as France).&nbsp;</p>

<p>
Blog contributors: Ran Mosessco,&nbsp;Nick Griffin</p>

<h2>
Indicators of Compromise (IOCs)</h2>

<p>
<strong>Attachments SHA1</strong></p>

<p>
f999a2019cff0300ba2c39950245b090c59179e2</p>

<p>
e14ab6522a23b4a181186eb344a624229600743f</p>

<p>
ff97dcbfc5c566ae9fc81b03f2e86d88527bd3d1</p>

<p>
743546a99201535fbe24d31851fa05f73395faab</p>

<p>
<strong>Payload URI</strong></p>

<p>
hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://aabisolution[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe</p>

<p>
<strong>Payload:</strong></p>

<p>
SHA1: 2d633c80ef9d1f61e37c3d30e3b613d45f327550</p>

<p>
<strong>C2 (First level):</strong></p>

<p>
&lt;config botnet=&quot;220&quot;&gt;&nbsp;</p>

<p>
&nbsp; &nbsp;&lt;server_list&gt;&nbsp;</p>

<p>
128.199.122[.]196:6446&nbsp;</p>

<p>
75.99.13[.]123:8443&nbsp;</p>

<p>
198.74.58[.]153:5445&nbsp;</p>

<p>
221.132.35[.]56:8843&nbsp;</p>

<p>
&nbsp; &nbsp;&lt;/server_list&gt;&nbsp;</p>

<p>
&lt;/config&gt;&nbsp;</p>