Threat Intelligence Report – Dridex Ransomware Update

Date: 24th July 2019

Summary

The Dridex banking trojan first appeared in 2011 and had become a major financial cyber threat.  In 2015, the damage done by the Trojan was estimated at over $40 million and by now the cost is estimated to run into hundreds of millions of dollars.  There have been numerous unsuccessful attempts to block the trojan`s activity but the trojan remains active.  In early 2017, Dridex activity was discovered in several European countries, with the UK accounting for nearly 60% of all detections, followed by Germany and France.

The malware developers appear to be very active and are once again renewing the software`s capabilities and attack vectors. New capabilities suggest that the threat group may intend to target more than banking credentials, and capabilities exist to capture comprehensive data and credentials from browsers, and remotely control infected machines.

Conclusion:

Newer Dridex developments maintain pressure on banking organisation but also introduce risks to non banking organisations. With increasingly far reaching credential and browser information stealing capabilities, the malware is extremely well placed to target SaaS accounts on a range of services, and therefore has increasing relevance to many customers.

Tactics, Techniques and Procedures

Dridex infections typically begin with spammed email messages to many users.  These messages come with a malicious attachment, typically a Microsoft Word document which contains malicious macro code (detected as TROJ_WMSHELL.A).

The attacks lure the victims to open the attachment by using the names of legitimate local institutions.  Some of these emails refer to attached invoices,  stating it comes from a software company, online retailer or bank. Once the user opens the attachments, Dridex malware is installed. If macros are disabled by default, users must enable the use of macros in a pop-up for the malware to work.

When the malicious macro is executed on the system, it downloads the Dridex loader that server as stage one malware then it points to the Dridex.DLL file that contains the information stealing and man in the browser routines. Once installed and executed in the target system, Dridex can:

  • Upload, download, and execute files
  • Monitor network traffic
  • Take Browser screenshots
  • Add the compromised system to a network of botnets
  • Communicate with other peer nodes through the peer to peer (P2P) protocol
  • Inject itself into the browser processes for Internet Explorer, Chrome, and Firefox in order to monitor communications and hijack information.

Dridex can hide its tracks on the infected system by generating an AutoStart registry key upon system shutdown as well as removing it’s configuration file from the machine registry. In addition to this, it uses a modified Peer-to-Peer network originally used by ‘Gameover ZeuS’ malware to avoid IP reputation lists.

Evolving Tactics, Techniques and Procedures

A campaign impersonating eFax contained what appears to be a Microsoft Word document but is in fact a “.zip” archive containing a “.xls” macro which downloaded two executables:

  1. Dridex
  2. Remote Manipulator System Remote Access Tool (RMS RAT)

By delivering a banking trojan and RAT together, the threat group are using the banking trojan purely for credential hijacking via browsers and use the RAT for more complex management of the infected computer.  Having these two factors working together will also help the threat group maintain control by having a backup communication channel in case one of the malware families is been detected.

Indicators of Compromise (IOCs)

MD5 107a3bef0da9ab2b42e3e0f9f843093b
d0aa5b4dd8163eccf7c1cd84f5723d48
ed8cdd9c6dd5a221f473ecf3a8f39933
7760b336c4f13466b2f83ad25894dc3b
SHA-1 fc5d6fc2cbb1d95864f5ed26b50e4ebe68333eab
08e2224e19aaf8783569c7b978b42667a414da75
9d628309734ad766ad44a597a729a59306df9319
9c687d0be871068b4ed10130047f1b5790786fad
SHA-256 7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a a03b89440688b587519bef8dc1409131e6f8eb8a41b91afd6ac6ddd50701962d 166bd27de260cccbfcdcb21efc046288043bd44c4f08e92cd1e1f9eb80cca7ff cbd130b4b714c9bb0a62e45b2e07f3ab20a6db3abd1899aa3ec21f402d25779e
URLs hxxp[:]//aeromodernimpex[.]com/onlinegoogle/onlinegoogle[.]php        hxxp[:]//atakan[.]com/98ygubyr5?        
hxxp[:]//hwayou[.]com.tw/98ygubyr5? 
hxxp[:]//wildelet.com/inf/02.18-00973[.]doc     
hxxp[:]//letrebone[.]com/p66/387fty3  
hxxp[:]//witsemehat[.]net/info/SCAN_0502_5F27[.]7z   
hxxp[:]//techknowlogix[.]net/98ygubyr5?           
hxxp[:]//fbl[.]com[.]sg/98ygubyr5?        
hxxp[:]//ferienimboden[.]com/98ygubyr5?
IP 185[.]39[.]149[.]21
31[.]41[.]45[.]197
185[.]91[.]175[.]64
93[.]26[.]217[.]203
193[.]26[.]217[.]203
77[.]74[.]103[.]150
199[.]201[.]121[.]169
5[.]55[.]154[.]235
159[.]226[.]92[.]9
09[.]20[.]67[.]87
194[.]150[.]118[.]25

Vulnerable systems

Windows operating systems are affected only.

Advice

Invinsec recommends the following activities:

  • User awareness training for spotting malicious emails
  • Use Two Factor Authentication for all business critical applications to reduce the impact of stolen credentials
  • Blocking macro-enabled documents on perimeter email gateways:
    • .js (JavaScript)
    • .jar (Java)
    • .bat (batch file)
    • .exe (Windows executable)
    • .cpl (Control Panel)
    • .scr (screen saver)
    • .com (COM file)
    • .pif (program information file)
    • .vbs (Visual Basic Script)
    • .ps1 (Windows PowerShell)
    • .wsf (Windows Script File)
    • .docm (Microsoft Word with macros)
    • .xlsm (Microsoft Excel with macros)
    • .pptm (Microsoft PowerPoint with macros)

Leave a Reply