Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Dridex Down Under

Views:2343
Reply
Thread Tools Search this Thread Rate Thread
  #1  
Unread 11.05.15, 04:38 PM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Administrator
 
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
Dridex Down Under

11.05.15 03:00 PM

Raytheon | Websense® Security Labs™ has been tracking malicious email campaigns associated with the Dridex banking Trojan since 2014. An interesting development this past week was a regional move to target Australia. Dridex botnet 220 related email were being sent to potential victims in the land down under. This is a change from the recent months, when Dridex botnet 220 campaigns have displayed a heavy bias towards U.K.-based potential victims.

The focus on Australia in the email lure targeting was further confirmed by analysis of the botnet configuration file. The configuration file downloaded by infected computers included directions to take "Clickshots" when potential victims access certain Australian banking websites.





Raytheon | Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below:



  • Stage 2 (Lure) - ACE has protection against the malicious email sent to targets.
  • Stage 5 (Dropper) - ACE has protection against the malicious doc files and the malware files.
  • Stage 6 (Call Home) - ACE has live, real-time protection against the malicious traffic generated by the malware associated with this threat.




Email Lures

The email lures were rudimentary in content. One campaign was spoofing the target domain in the sender. The other used the email address of a property management company as the sender (the company subsequently issued a warning on its website).



Sender: konica@

Subject: Message from KMBT_C252

Attachment: SKMBT_C25213120613510.doc













Sender: @posei.com.au

Subject: November 2015 Tax Invoice

Attachment: November_2015_Tax_Invoice_3903_001.doc OR 3903_001.doc











Malicious Doc Attachments



As is typical of Dridex botnet 220-related email campaigns (and Shifu-related email campaigns as well, see our previous blog here), the messages carried an MS-Word doc file, which contained an obfuscated macro that attempted to download an executable from one of these URLs:



hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe

hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe

hxxp://aabisolution[.]com/76f7564d/267879u98c.exe

hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe



The executable is the Dridex loader, which then injects the Dridex DLL into the Windows Explorer process.





The attachments are detected by the Raytheon | Websense Sandbox Module as malicious:











Target Spread



When we examine these two specific campaigns via Raytheon | Websense TRITON® APX reporting, we can see that more than 650,000 of these messages were stopped in the Raytheon | Websense cloud and hybrid email environment. Slicing up by recipient top-level domain (TLD) shows a heavy bias of these campaigns towards Australian potential victims.

In fact, 99.91% were sent to recipients with addresses that had .au country code.









Botnet Configuration File

A few minutes after infecting a victim, the Dridex Trojan downloads a full configuration file from one of the Command & Control nodes. The configuration file contains various sections informing the Trojan of what techniques to use in order to collect credentials from different websites. One of the techniques used is a form of taking a screenshot that's referred to as "Clickshot." This is applied to certain websites where other techniques such as HTTP injection or form grabbing are not effective.

The Clickshot logic includes number of clicks and vertical and horizontal range to define an area around the mouse. This is done to defeat virtual keyboard security. By taking a series of screenshots in a small area around the mouse cursor, the cyber-criminals are hoping to grab the login credentials.

When examining the section below, we can see, that among other targets, users browsing to Australian banking sites will have their login transactions recorded by "Clickshots."











Summary

We can see that recent reports of Dridex's death have been greatly exaggerated, with several botnets in operation (120/121, 301, and 220). Regional shifts expansions are to be expected from time to time, although it was unique to see botnet 220 making the shift. Historically, botnet 120-related campaigns were used with more specific regional focus (such as France).



Blog contributors: Ran Mosessco, Nick Griffin















Indicators of Compromise (IOCs)

Attachments SHA1

f999a2019cff0300ba2c39950245b090c59179e2

e14ab6522a23b4a181186eb344a624229600743f

ff97dcbfc5c566ae9fc81b03f2e86d88527bd3d1

743546a99201535fbe24d31851fa05f73395faab





Payload URI

hxxp://www.arredoshop[.]com/76f7564d/267879u98c.exe

hxxp://www.indigocamp[.]com/76f7564d/267879u98c.exe

hxxp://aabisolution[.]com/76f7564d/267879u98c.exe

hxxp://nuncfashion[.]com/76f7564d/267879u98c.exe





Payload:

SHA1: 2d633c80ef9d1f61e37c3d30e3b613d45f327550





C2 (First level):





128.199.122[.]196:6446

75.99.13[.]123:8443

198.74.58[.]153:5445

221.132.35[.]56:8843












http://community.websense.com/blogs/...own-under.aspx
Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:



All times are GMT -8. The time now is 08:10 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved