Go Back   SZONE.US Forums > Do it yourself (DIY) > Web Tips > Web Findings

Web Findings Here you will find information about the internet.

Dridex Down Under

Thread Tools Search this Thread Rate Thread
Unread 11.05.15, 04:38 PM
Zachariah Boren's Avatar
Zachariah Boren Zachariah Boren is offline
Join Date: 02.07
Location: Canoga Park, CA
Posts: 928
Blog Entries: 6
Images: 10075
Send a message via ICQ to Zachariah Boren Send a message via MSN to Zachariah Boren Send a message via twitter to Zachariah Boren
Dridex Down Under

11.05.15 03:00 PM

Raytheon | Websense® Security Labs™ has been tracking malicious email campaigns associated with the Dridex banking Trojan since 2014. An interesting development this past week was a regional move to target Australia. Dridex botnet 220 related email were being sent to potential victims in the land down under. This is a change from the recent months, when Dridex botnet 220 campaigns have displayed a heavy bias towards U.K.-based potential victims.

The focus on Australia in the email lure targeting was further confirmed by analysis of the botnet configuration file. The configuration file downloaded by infected computers included directions to take "Clickshots" when potential victims access certain Australian banking websites.

Raytheon | Websense customers are protected against this threat via real-time analytics with ACE, the Websense Advanced Classification Engine, at the different stages of the attack detailed below:

  • Stage 2 (Lure) - ACE has protection against the malicious email sent to targets.
  • Stage 5 (Dropper) - ACE has protection against the malicious doc files and the malware files.
  • Stage 6 (Call Home) - ACE has live, real-time protection against the malicious traffic generated by the malware associated with this threat.

Email Lures

The email lures were rudimentary in content. One campaign was spoofing the target domain in the sender. The other used the email address of a property management company as the sender (the company subsequently issued a warning on its website).

Sender: konica@

Subject: Message from KMBT_C252

Attachment: SKMBT_C25213120613510.doc

Sender: @posei.com.au

Subject: November 2015 Tax Invoice

Attachment: November_2015_Tax_Invoice_3903_001.doc OR 3903_001.doc

Malicious Doc Attachments

As is typical of Dridex botnet 220-related email campaigns (and Shifu-related email campaigns as well, see our previous blog here), the messages carried an MS-Word doc file, which contained an obfuscated macro that attempted to download an executable from one of these URLs:





The executable is the Dridex loader, which then injects the Dridex DLL into the Windows Explorer process.

The attachments are detected by the Raytheon | Websense Sandbox Module as malicious:

Target Spread

When we examine these two specific campaigns via Raytheon | Websense TRITON® APX reporting, we can see that more than 650,000 of these messages were stopped in the Raytheon | Websense cloud and hybrid email environment. Slicing up by recipient top-level domain (TLD) shows a heavy bias of these campaigns towards Australian potential victims.

In fact, 99.91% were sent to recipients with addresses that had .au country code.

Botnet Configuration File

A few minutes after infecting a victim, the Dridex Trojan downloads a full configuration file from one of the Command & Control nodes. The configuration file contains various sections informing the Trojan of what techniques to use in order to collect credentials from different websites. One of the techniques used is a form of taking a screenshot that's referred to as "Clickshot." This is applied to certain websites where other techniques such as HTTP injection or form grabbing are not effective.

The Clickshot logic includes number of clicks and vertical and horizontal range to define an area around the mouse. This is done to defeat virtual keyboard security. By taking a series of screenshots in a small area around the mouse cursor, the cyber-criminals are hoping to grab the login credentials.

When examining the section below, we can see, that among other targets, users browsing to Australian banking sites will have their login transactions recorded by "Clickshots."


We can see that recent reports of Dridex's death have been greatly exaggerated, with several botnets in operation (120/121, 301, and 220). Regional shifts expansions are to be expected from time to time, although it was unique to see botnet 220 making the shift. Historically, botnet 120-related campaigns were used with more specific regional focus (such as France).

Blog contributors: Ran Mosessco, Nick Griffin

Indicators of Compromise (IOCs)

Attachments SHA1





Payload URI






SHA1: 2d633c80ef9d1f61e37c3d30e3b613d45f327550

C2 (First level):





Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Rate This Thread
Rate This Thread:

All times are GMT -8. The time now is 08:10 AM.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright 2007 - 20017 SZONE.US All rights reserved