2018-02-05 - MALSPAM USING PDF ATTACHMENTS TO PUSH DRIDEX SINCE 2018-01-30

ASSOCIATED FILES FROM TODAY:

ASSOCIATED FILES FROM AN INFECTION ON 2018-01-30:

 

NOTES

 


Shown above:  Spreadsheet tracker for today's Dridex malspam (1 of 2).

 


Shown above:  Spreadsheet tracker for today's Dridex malspam (2 of 2).

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

DATA FROM 10 EMAIL SAMPLES:

 

MALWARE


Shown above:  Downloading a 7-zip archive from one of the PDF attachments.

 


Shown above:  VBS file extracted from one of the downloaded 7-zip archives.

 

EMAIL ATTACHMENTS:

DOWNLOADED 7-ZIP FILES FROM LINKS IN THE PDF ATTACHMENTS:

VBS FILES EXTRACTED FROM THE 7-ZIP FILES:

DRIDEX SAMPLE RETRIEVED BY ONE OF THE VBS FILES:

 

TRAFFIC


Shown above:  Traffic from an infected host filtered in Wireshark.

 

URLS FROM THE PDF ATTACHMENTS TO DOWNLOAD THE 7-ZIP ARCHIVES:

URLS FROM THE EXTRACTED VBS FILES TO DOWNLOAD THE DRIDEX EXECUTABLE:

DRIDEX POST-INFECTION SSL/TLS TRAFFIC:

IP ADDRESSES FOR THE 7-ZIP DOWNLOAD DOMAINS:

 

POST-INFECTION FORENSICS

I could not find any artifacts from my infected lab hosts.  The Dridex executable deleted itself and stayed resident in memory; however, after I rebooted, my lab hosts no longer showed any signs of infection.  This was true for both virtual and physical hosts.

Malware analysis from my employer shows the Dridex binary tried to keep the malware persistent, but any attempts to create these associated files failed.  The analysis also shows a scheduled task to keep the malware persistent, but I saw no scheduled tasks on my lab hosts.

I'm not sure if this is an issue with my lab environment, or if it's a problem with the Dridex binaries I've seen so far this year since 2018-01-25.


Shown above:  Part of the analysis on the Dridex sample from my employer's tools.

 

FINAL NOTES

Once again, here are the associated files:

 

Click here to return to the main page.