Rewterz Threat Alert – Dridex Activity on the Rise

Severity

Medium

Analysis Summary

After a pause in the activities involving the Dridex malware, three documents containing the Dridex malspam malware have been discovered. The documents obtained followed the same infection process as previous iterations of Dridex. In order to deploy Dridex on a vulnerable Windows host, the victim must download the document and enable macros. Upon doing so, the macro will cause Powershell to retrieve a DLL over HTTPS encrypted traffic. This DLL is the installer for Dridex and is immediately run. Post-infection, Dridex makes HTTPS calls in order to obtain the requisite malspam data. Persistence is obtained via three simultaneous methods: Windows Registry update, scheduled task, and Windows Startup menu shortcut. The malware uses existing EXE files to load the malware. The specific DLLs used by Dridex are named in such a way that they match legitimate DLLs and would be run by corresponding EXEs. Beyond any blatant changes, the Dridex malware is unchanged and traffic patterns are the same. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.

Impact

• Theft of sensitive information
• Financial loss

Indicators of Compromise

MD5

• 157bd8086064f292226162aa698c7c30
• fdd760e04f9f6e13ed4afc641c0a2112
• afda174d91c3bf5b4efef501ee0ca0f1
• e33256efd8b0b2214938766fde51cbd7
• 3642312be4d052462fe9c0f7ca155cfb
• 4b5e6a3741121673cefe45153795026a
• 537cb77a4bdd9abaaf61e7f25b374ec8

SHA-256

• 27379612c139d3c4a0c6614ea51d49f2495213c867574354d7851a86fdec2428
• 790b0d9e2b17f637c3e03e410aa22d16eccfefd28d74b226a293c9696edb60ad
• 4d7d8d1790d494a1a29dae42810a3a10864f7c38148c3600c76491931c767c5c
• 9b747e89874c0b080cf78ed61a1ccbd9c86045dc61b433116461e3e81eee1348
• fd8049d573c056b92960ba7b0949d9f3a97416d333fa602ce683ef822986ad58
• 719a8634a16beb77e6d5c6bb7f82a96c6a49d5cfa64463754fd5f0e5eb0581be
• fee5bb973112d58445d9e267e0ceea137d9cc1fb8a7140cf9a67472c9499a30f

SHA1

• ee3514f16055d01ba7b20c98b3d22d68ed6539d5
• dccac7015dd1cd5e630ae48d96f3695535cada61
• acf9129fd3a9f4e6d31377fdbfb5f4088c0dbbb2
• 51a1c75e5faafce6d4181887d689f0767782a66f
• 9b8736f8c656bd26c7f7c7dec0e0ac82d53c5c07
• 12e130a6ae14134d6e40aea8ef000ec0880f4cf8
• 93c8937a2e46881ed6ac8f4574ed51d3eed6be4c

Source IP

• 67[.]213[.]75[.]205

URL

• https[:]//thecandidtales[.]com/wuom4a[.]rar
• https[:]//teworhfoundation[.]com/zd0pcc[.]rar
• https[:]//teworhfoundation[.]com/4jvmow[.]zip
• https[:]//thecandidtales[.]com/doakai[.]zip
• https[:]//safaktasarim[.]com/7zcsfo[.]txt

Remediation

• Block the threat indicators at their respective controls. 
• Do not download email attachments coming from unknown sources. 
• Do not enable macros for untrusted files.