This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Our Blog

Dridex Down Under

Share

Thursday, Nov 05, 2015

<p>
Raytheon | Websense&reg;&nbsp;Security Labs&trade; has been tracking malicious email campaigns associated with the Dridex banking Trojan since 2014. An interesting development this past week was a regional move to target Australia. Dridex botnet 220 related email were being sent to potential victims in the land down under. This is a change from the recent months, when Dridex botnet 220 campaigns have displayed a heavy bias towards U.K.-based potential victims.&nbsp;</p>

<p>
The focus on Australia in the email lure targeting was further confirmed by analysis of the botnet configuration file. The configuration file downloaded by infected computers included directions to take &quot;Clickshots&quot; when potential victims access certain Australian banking websites.</p>

<p>
Raytheon | Websense customers&nbsp;are protected against this threat via real-time&nbsp;analytics with ACE,&nbsp;the Websense&nbsp;<a href="http://www.websense.com/content/websense-advanced-classification-engine.... rel="nofollow" target="_blank">Advanced Classification Engine</a>, at the different&nbsp;<a href="http://www.websense.com/content/seven-stages-recon.aspx?cmpid=slbl" rel="nofollow" target="_blank">stages</a>&nbsp;of the attack detailed below:&nbsp;</p>

<ul>
<li>
Stage 2 (Lure) - ACE has protection against the malicious email sent to targets.</li>
<li>
Stage 5 (Dropper) - ACE has protection against the malicious doc files and the malware files.</li>
<li>
Stage 6 (Call Home) - ACE has live, real-time protection against the malicious traffic generated by the malware associated with this threat.</li>
</ul>

<h2>
Email Lures</h2>

<p>
The email lures were rudimentary in content. One campaign was spoofing the target domain in the sender. The other used the email address of a property management company as the sender (the company subsequently issued a warning on&nbsp;its website).</p>

<p>
Sender: konica@&lt;targetdomain&gt;</p>

<p>
Subject: Message from KMBT_C252</p>

<p>
Attachment: SKMBT_C25213120613510.doc</p>

<p>
<img alt="Message from KMBT - Screenshot" src="/sites/default/files/blog/legacy/security-labs/8037.dridex_220_lure_message_from_kmbt_c252.png-550x0.png" style="height:321px; width:549px" /></p>

<p>
Sender: @posei.com.au</p>

<p>
Subject: November 2015 T</p>

<p>
Tax Invoice Attachment: November_2015_Tax_Invoice_3903_001.doc OR 3903_001.doc</p>

<p>
<img alt="November Tax Invoice Screenshot" src="/sites/default/files/blog/legacy/security-labs/1172.dridex_220_lure_november_2015_tax_invoice.png-550x0.png" style="height:321px; width:549px" /></p>

<h2>
Malicious Doc Attachments</h2>

<p>
As is typical of&nbsp;Dridex botnet 220-related email campaigns (and Shifu-related email campaigns as well, see our previous blog&nbsp;<a href="http://blogs.websense.com/security-labs/japanese-banking-trojan-shifu-di...),&nbsp;the messages carried an MS-Word doc file, which contained an obfuscated macro that attempted to download an executable from one of these URLs:</p>

<p>
hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://aabisolution[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe</p>

<p>
The executable is the Dridex loader, which then injects the Dridex DLL into the Windows Explorer process.&nbsp;</p>

<p>
The attachments are detected by the&nbsp;TRITON File Sandbox&nbsp;as malicious:</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/6712.file_sandbox_report1.png-550x0.png" style="height:191px; width:550px" /></p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/5344.file_sandbox_report2.png-550x0.png" style="height:363px; width:550px" /></p>

<h2>
Target Spread</h2>

<p>
When we examine these two specific campaigns via&nbsp;Raytheon | Websense&nbsp;TRITON&reg;&nbsp;APX reporting, we can see that more than 650,000 of these messages were stopped in the&nbsp;Raytheon | Websense cloud and hybrid email environment. Slicing up by recipient top-level domain (TLD) shows a heavy bias of these campaigns towards Australian potential victims.</p>

<p>
In fact, 99.91% were sent to recipients with addresses that had .au country code.</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/8371.dridex_220_2015_11_04_rcpt_tld_1.png-550x0.png" style="height:633px; width:550px" /></p>

<h2>
Botnet Configuration File</h2>

<p>
A few minutes after infecting a victim, the Dridex Trojan downloads a full configuration file from one of the Command &amp; Control nodes. The configuration file contains various sections informing the Trojan of what techniques to use in order to collect credentials from different websites. One of the techniques used is a form of taking a screenshot that&#39;s referred to as &quot;Clickshot.&quot; This is applied to certain websites where other techniques such as&nbsp;HTTP injection or form grabbing are not effective.</p>

<p>
The Clickshot logic includes number of clicks and vertical and horizontal range to define an area around the mouse. This is done to defeat virtual keyboard security. By taking a series of screenshots in a small area around the mouse cursor, the cyber-criminals are hoping to grab the login credentials.</p>

<p>
When examining the section below, we can see, that among other targets, users browsing to Australian banking sites will have their login transactions recorded by &quot;Clickshots.&quot;</p>

<p>
<img alt="" src="/sites/default/files/blog/legacy/security-labs/0486.dridex_220_config_2015_11_04_clickshots_blur.png-550x0.png" style="height:249px; width:550px" /></p>

<h2>
Summary</h2>

<p>
We can see that recent reports of Dridex&#39;s death have been greatly exaggerated, with several botnets in operation (120/121, 301, and 220). Regional shifts expansions are to be expected from time to time, although it was unique to see botnet 220 making the shift. Historically, botnet 120-related campaigns were used with more specific regional focus (such as France).&nbsp;</p>

<p>
Blog contributors: Ran Mosessco,&nbsp;Nick Griffin</p>

<h2>
Indicators of Compromise (IOCs)</h2>

<p>
<strong>Attachments SHA1</strong></p>

<p>
f999a2019cff0300ba2c39950245b090c59179e2</p>

<p>
e14ab6522a23b4a181186eb344a624229600743f</p>

<p>
ff97dcbfc5c566ae9fc81b03f2e86d88527bd3d1</p>

<p>
743546a99201535fbe24d31851fa05f73395faab</p>

<p>
<strong>Payload URI</strong></p>

<p>
hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://aabisolution[.]com/76f7564d/267879u98c.exe</p>

<p>
hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe</p>

<p>
<strong>Payload:</strong></p>

<p>
SHA1: 2d633c80ef9d1f61e37c3d30e3b613d45f327550</p>

<p>
<strong>C2 (First level):</strong></p>

<p>
&lt;config botnet=&quot;220&quot;&gt;&nbsp;</p>

<p>
&nbsp; &nbsp;&lt;server_list&gt;&nbsp;</p>

<p>
128.199.122[.]196:6446&nbsp;</p>

<p>
75.99.13[.]123:8443&nbsp;</p>

<p>
198.74.58[.]153:5445&nbsp;</p>

<p>
221.132.35[.]56:8843&nbsp;</p>

<p>
&nbsp; &nbsp;&lt;/server_list&gt;&nbsp;</p>

<p>
&lt;/config&gt;&nbsp;</p>

About the Author

RM

Ran Mosessco

Principal Security Researcher