2015-04-15 - DRIDEX ACTIVITY

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-04-15-Dridex-email-info.csv.zip
• 2015-04-15-Dridex-malware-info.csv.zip
• 2015-04-15-Dridex-infection-traffic.pcap.zip
• 2015-04-15-Dridex-malware-samples.zip

 

NOTES:

• This particular Dridex run had links in the emails that were Google redirects to Dropbox URLs.
• See the above spreadsheets for examples of the links.

 

EMAILS

SCREENSHOT EXAMPLE:

 

EXAMPLES OF THE SUBJECT LINES:

• Aborted Domestic Wire payment (P4665571)
• Aborted Domestic Wire transfer (Z7361134)
• Aborted Wire payment (G2486139)
• Cancelled Domestic Wire payment (I5649242)
• Cancelled Domestic Wire transfer (T2548758)
• Denied Domestic Wire payment (A0466821)
• Denied Domestic Wire transfer (V0875467)
• Denied Wire transfer (U9911821)
• Rejected Domestic Wire payment (R4839145)
• Rejected Domestic Wire transfer (T0617091)
• Rejected Wire payment (D2862795)
• Rejected Wire transfer (F2447084)

 

EXAMPLES OF MALWARE FROM THE LINKS IN THE EMAILS:

• file name: TRANSFER 6262.scr - MD5 hash: 055ec8b8641f265a5d92f28340966cc4
• file name: WIRE TRANSFER 5161.scr - MD5 hash: 16a0c11f645e16297a353f160229ea02
• file name: RECENT WIRE PAYMENT 1073.scr - MD5 hash: 1a0dce2b29b56f45285e9b4fa15a78b0
• file name: RECENT WIRE TRANSFER 4187.scr - MD5 hash: 2c43148d6cf54decc830f35cd1003cac
• file name: TRANSFER 8879.scr - MD5 hash: 568b54d4548fe43d3b9be34011fdd7a1
• file name: WIRE TRANSFER 0078.scr - MD5 hash: 629ace2b622690bf52a8e646ece31174
• file name: WIRE PAYMENT 7854.scr - MD5 hash: 6d0734be8adcdcbe9338ef3d90bbf911
• file name: PAYMENT 8791.scr - MD5 hash: 79edb2e4b6d8530ef048d16d74ca2004
• file name: RECENT WIRE TRANSFER 2300.scr - MD5 hash: 8c4d60b8bed668b033784cbd3a830f0f
• file name: RECENT WIRE PAYMENT 6732.scr - MD5 hash: 94a86d50ffd4cbfb7262acbe9be2eb53
• file name: PAYMENT 5220.scr - MD5 hash: a64b18e46ea87abce4bf784d1b9a99c8
• file name: PAYMENT 9008.scr - MD5 hash: b718a978fb4f1727158834aae449b6f7
• file name: PAYMENT 8610.scr - MD5 hash: bd76ed5d4ff737d3c612bb8bac31b275
• file name: PAYMENT 7453.scr - MD5 hash: dc2888c271b715ccddf0ed8d490bae70
• file name: PAYMENT 5525.scr - MD5 hash: e5d0c45351a73b14e6e913263811948c
• file name: WIRE PAYMENT 5594.scr - MD5 hash: ec602668d681a13504b99adb6682ab19
• file name: WIRE TRANSFER 9012.scr - MD5 hash: fc208c52190bedc5e36b257e07d4ed81

 

INFECTION TRAFFIC

FROM MONITORING AN INFECTED HOST:

• 188.226.150[.]141 port 1443 - encrypted (TLS) traffic with certificate for srv1.mainsftdomain[.]com
• 136.243.237[.]199 port 80 - sfx[.]co
• 136.243.237[.]199 port 80 - frvus[.]us
• 136.243.237[.]199 port 80 - bgw[.]org
• 136.243.237[.]199 port 80 - kdhltfqwagdq[.]net
• 136.243.237[.]199 port 80 - kmmhlwd[.]net
• 136.243.237[.]199 port 80 - tdyzvswnkeqakoyo[.]com
• 136.243.237[.]199 port 80 - uryqekjynzxvz[.]com
• 136.243.237[.]199 port 80 - swxswcavpaxqmqyff[.]biz
• 136.243.237[.]199 port 80 - ipplusnbnrrjkqzv[.]in
• 136.243.237[.]199 port 80 - eevdmpbpyyqfyj[.]edu
• 136.243.237[.]199 port 80 - lxgcgljn[.]edu
• 136.243.237[.]199 port 80 - eikgkzorh[.]eu
• 136.243.237[.]199 port 80 - nihaaju[.]in
• 136.243.237[.]199 port 80 - whyyrzmpuhgjmjjckd[.]com
• 136.243.237[.]199 port 80 - dnbfz[.]me
• 79.168.145[.]215 port 80 - mkcxmosff[.]me

 

NOTES:

• I used PAYMENT 5220.scr (MD5 hash: a64b18e46ea87abce4bf784d1b9a99c8) to generate the above traffic.
• In another test environment with the same malware sample, I also got Dridex-style URLs to 213.138.124[.]13 and 79.168.145[.]215.

 

SNORT EVENTS

The only Dridex-specific alert I got was the following:

• 188.226.150[.]141 port 1443 - ET CURRENT_EVENTS Possible Dridex downloader SSL Certificate srv1.mainsftdomain.com (sid:2020866)

 

Click here to return to the main page.