-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy path2021-03-22-IOCs-from-Dridex-infection.txt
125 lines (103 loc) · 5.38 KB
/
2021-03-22-IOCs-from-Dridex-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
2021-03-22 (MONDAY) - MALICIOUS SPAM (MALSPAM) PUSHING DRIDEX MALWARE:
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1374092293276381187
DATA FROM 10 EXAMPLES OF EMAILS PUSHING DRIDEX:
MAIL SERVERS:
- Received: from ([39.40.31[.]252])
- Received: from ([41.227.25[.]145])
- Received: from ([79.42.215[.]190])
- Received: from ([87.16.89[.]165])
- Received: from ([93.42.7[.]100])
- Received: from ([95.249.117[.]48])
- Received: from ([114.5.213[.]108])
- Received: from ([213.60.190[.]210])
- Received: from host-217-58-220-34.business.telecomitalia.it ([217.58.220[.]34])
- Received: from it ([37.182.240[.]151])
SPOOFED SENDERS:
- From: Credit and Collections Dept <[email protected]>
- From: Credit and Collections Dept <[email protected]>
- From: Credit and Collections Dept <[email protected]>
- From: msc.com <[email protected]>
- From: msc.com <[email protected]>
- From: msc.com <[email protected]>
- From: msc.com <[email protected]>
- From: msc.com <[email protected]>
- From: MSC Inc. <[email protected]>
- From: MSC MEDITERRANEAN SHIPPING COMPANY (USA) INC. <[email protected]>
SUBJECT LINES:
- Subject: Freight overdue invoice Of 03_22_2021
- Subject: Freight Payment Notification Of 03_22_2021
- Subject: Ocean Freight overdue invoice Of 03_22_2021
- Subject: Ocean Freight Payment Notice Of 03_22_2021
- Subject: Ocean Freight Payment Notification Of 03_22_2021
- Subject: Ocean Freight Statement Of Outstanding As Of 03_22_2021
ATTACHED EXCEL SPREADSHEET:
- SHA256 hash: 3f4632f072dca5d71e765dcdb19f411d30a2609850ecd7234e550da2475cd925
- File size: 114,635 bytes
- File name: printouts of outstanding as of_03_22_2021.xlsm
- File name: printouts_of_outstanding as of_03_22_2021.xlsm
- File name: Statement of Account as of_03_22_2021.xlsm
- File name: Statement as of_03_22_2021.xlsm
- File description: Excel file with macro for Dridex malware
AT LEAST 31 URLS COULD GENERATED BY THE EXCEL MACRO FOR THE INITIAL MALWARE DLL:
- hxxps://absupplie[s].co[.]uk/et4fcy.tar
- hxxps://accounts.thesmarttechhub[.]com/fxg8ani8z.rar
- hxxps://agmcarpetcare[.]co[.]uk/vrwudng.rar
- hxxps://artedibujoyarquitectura[.]com/hjvt66w4y.zip
- hxxps://ayamallah[.]com/ct8dz98ef.rar
- hxxps://bardi[.]tv/in28z1xt.tar
- hxxps://buenavista[.]co/zw7616jjd.zip
- hxxps://calllocalattorneys[.]com/cos1lbi0.zip
- hxxps://codernet[.]net/dlf3se.tar
- hxxps://controladoradeplagasmm[.]com/g9h833opc.rar
- hxxps://corporativos[.]com[.]co/w074xgot.zip
- hxxps://ebruyatkin[.]com/bbi71whxu.zip
- hxxps://filmotainment[.]com/__MACOSX/filmotainment.com/images/slider//ft58oohsv.zip
- hxxps://foodie[.]digital/xri6vo4t2.tar
- hxxps://jewsjuice[.]com/fjmv5r5vu.rar
- hxxps://kevinjewelry[.]com[.]co/hya2l4.tar
- hxxps://ladylabonde[.]com/aiqsuyk.tar
- hxxps://litroxlitro[.]com/nnmj07n.tar
- hxxps://lp.tecnimasdecolombia[.]com[.]co/slvsw1d.zip
- hxxps://medevlb[.]org/w1egtdcq4.zip
- hxxps://pagos.krayem[.]com[.]mx/ctxmc2.zip
- hxxps://poppycharity[.]com/squhy1.rar
- hxxps://rawjee[.]com/eu603if57.zip
- hxxps://safety.nanotechproautocare[.]com/xvi3ck.tar
- hxxps://syedpro.dezinetimes[.]com/kdytpp.zip
- hxxps://tintasylaser[.].com/ikz76v8l3.tar
- hxxps://vidmattic[.]com/nzglgqfy.tar
- hxxps://www.chealablilitycarinsurances[.]com/jxoteqcn.tar
- hxxps://www.connectbyte[.]com[.]br/p8s3xau.zip
- hxxps://xmp.myracingaccounts[.]com/i7wgg83y.rar
ASSOCIATED MALWARE
- SHA256 hash: 38cea6b8da276da415ba1f4127eb6db81f914e27335da458a540cd2db671886f
- File size: 354,304 bytes
- File location: hxxps://xmp.myracingaccounts[.]com/i7wgg83y.rar
- File location: C:\Users\[username]\AppData\Local\Temp\kkfofius.dll
- File description: Example of initial DLL file retreived by Excel macro
- Run method: regsvr32.exe [filename]
- SHA256 hash: 6ccce784a050c40fb2ff43b7105a0bb5d0352751820b8ecc2e5ae13d25deae43
- File size: 671,744 bytes
- File location: C:\Users\[username]\AppData\Roaming\Internet Explorer\Quick Launch\Uer Pinned\TaskBar\8BZQKUfNh\XmlLite.dll
- File description: Example of 64-bit DLL for Dridex (1 of 3)
- Run method: Run by copy of legitimate file named DeviceEnroller.exe located in the same directory
- Note: Made persistent through Windows registry update
- SHA256 hash: 1a8d29247416bb4d8936435d0bcd94d769aae9631b840f05f0c2329414f855f7
- File size: 671,744 bytes
- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Protect\4RwSPPz\WTSAPI32.dll
- File description: Example of 64-bit DLL for Dridex (2 of 3)
- Run method: Run by copy of legitimate file named RDVGHelper.exe located in the same directory
- Note: Made persistent through scheduled task
- SHA256 hash: eb90b1dacc3dfefde35745ea1710b90f5f76a84fa4d94c66883ccc8918ecc977
- File size: 671,744 bytes
- File location: C:\Users\[username]\AppData\Roaming\Mozilla\Extensions\1NyedFiiw\WTSAPI32.dll
- File description: Example of 64-bit DLL for Dridex (3 of 3)
- Run method: Run by copy of legitimate file named MDMAppInstaller.exe located in the same directory
- Note: Made persistent through Windows shortcut in startup menu folder
NOTE:
- SHA256 hashes and file sizes for the 64-bit DLL files for Dridex are unique for each infection, and these binaries are occasionally updated during
an infection. A Dridex-infected host could have dozens of 64-bit malware DLL files in different locations, if it's been infected for several days.
DRIDEX C2 TRAFFIC FROM AN INFECTION RUN IN A LAB ENVIRONMENT:
- 210.65.244[.]179 port 443 - HTTPS traffic
- 5.34.179[.]66 port 443 - HTTPS traffic