• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Emotet Malware Massive Email Campaign
September 11, 2020
Rewterz Threat Alert – New CDRThief Malware Steals VoIP Metadata from Linux Softswitches
September 11, 2020

Rewterz Threat Alert – Dridex Activity on the Rise

September 11, 2020

Severity

Medium

Analysis Summary

After a pause in the activities involving the Dridex malware, three documents containing the Dridex malspam malware have been discovered. The documents obtained followed the same infection process as previous iterations of Dridex. In order to deploy Dridex on a vulnerable Windows host, the victim must download the document and enable macros. Upon doing so, the macro will cause Powershell to retrieve a DLL over HTTPS encrypted traffic. This DLL is the installer for Dridex and is immediately run. Post-infection, Dridex makes HTTPS calls in order to obtain the requisite malspam data. Persistence is obtained via three simultaneous methods: Windows Registry update, scheduled task, and Windows Startup menu shortcut. The malware uses existing EXE files to load the malware. The specific DLLs used by Dridex are named in such a way that they match legitimate DLLs and would be run by corresponding EXEs. Beyond any blatant changes, the Dridex malware is unchanged and traffic patterns are the same. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.

Impact

  • Theft of sensitive information
  • Financial loss

Indicators of Compromise

MD5

  • 157bd8086064f292226162aa698c7c30
  • fdd760e04f9f6e13ed4afc641c0a2112
  • afda174d91c3bf5b4efef501ee0ca0f1
  • e33256efd8b0b2214938766fde51cbd7
  • 3642312be4d052462fe9c0f7ca155cfb
  • 4b5e6a3741121673cefe45153795026a
  • 537cb77a4bdd9abaaf61e7f25b374ec8

SHA-256

  • 27379612c139d3c4a0c6614ea51d49f2495213c867574354d7851a86fdec2428
  • 790b0d9e2b17f637c3e03e410aa22d16eccfefd28d74b226a293c9696edb60ad
  • 4d7d8d1790d494a1a29dae42810a3a10864f7c38148c3600c76491931c767c5c
  • 9b747e89874c0b080cf78ed61a1ccbd9c86045dc61b433116461e3e81eee1348
  • fd8049d573c056b92960ba7b0949d9f3a97416d333fa602ce683ef822986ad58
  • 719a8634a16beb77e6d5c6bb7f82a96c6a49d5cfa64463754fd5f0e5eb0581be
  • fee5bb973112d58445d9e267e0ceea137d9cc1fb8a7140cf9a67472c9499a30f

SHA1

  • ee3514f16055d01ba7b20c98b3d22d68ed6539d5
  • dccac7015dd1cd5e630ae48d96f3695535cada61
  • acf9129fd3a9f4e6d31377fdbfb5f4088c0dbbb2
  • 51a1c75e5faafce6d4181887d689f0767782a66f
  • 9b8736f8c656bd26c7f7c7dec0e0ac82d53c5c07
  • 12e130a6ae14134d6e40aea8ef000ec0880f4cf8
  • 93c8937a2e46881ed6ac8f4574ed51d3eed6be4c

Source IP

  • 67[.]213[.]75[.]205

URL

  • https[:]//thecandidtales[.]com/wuom4a[.]rar
  • https[:]//teworhfoundation[.]com/zd0pcc[.]rar
  • https[:]//teworhfoundation[.]com/4jvmow[.]zip
  • https[:]//thecandidtales[.]com/doakai[.]zip
  • https[:]//safaktasarim[.]com/7zcsfo[.]txt

Remediation

  • Block the threat indicators at their respective controls. 
  • Do not download email attachments coming from unknown sources. 
  • Do not enable macros for untrusted files. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.