Cisco Blogs
Share

Dridex Attacks Target Corporate Accounting

- March 4, 2015 - 2 Comments

In February, Cisco Managed Threat Defense (MTD) security investigators detected a rash of Dridex credential-stealing malware delivered via Microsoft Office macros. It’s effective, and the lures appear targeted at those responsible for handling purchase orders and invoices. Here’s a breakdown of the types of emails we’ve observed phishing employees and inserting trojans into user devices.

Subjects captured from Dridex campaign in February 2015

Subjects captured from Dridex campaign in February 2015

Attackers have been creating new variants of the Dridex infostealer and sending them out using botnets every few days for the past several months, as reported in December by the Talos Group. The same group of attackers have been operating botnets of Dridex infected computers since October 2014. The Dridex botnets are referenced by number. For example, the number 120, found in its trojan configuration file, pins this victim to the 120 botnet. This incident describes an email attack campaign that distributes the infostealer Dridex and controls it via botnet 120.

Victims Tricked into Enabling Macros

Remember that Microsoft Office macros were commonly used to deliver malware from 1996 – 2002. Around 2002, Microsoft changed the default installation of Office so that macros would not run automatically when a document containing macros was opened. In October of 2014, attackers changed their method to trick users into enabling macros, as you’ll see in this incident.

Here’s the fake invoice our victim received.

Dridex phishing lure via email

Dridex phishing lure via email

Cisco MTD telemetry indicates that the victim read this email via Outlook webmail at gadgets.live.com at 14:17:37 UTC. A while later, at 15:44:49 UTC, the user opened the email attachment, named 14109KW.doc, and enabled macros. This started the infection process to install the Dridex infostealer.

Cisco MTD analysis of the document using the ExifTool found that it contained no characters.

Document metadata indicates the computer it was created on was in a country using the Cyrillic alphabet

CodePage: Windows Cyrillic
Characters: 0
AppVersion: 11.9999
File Size: 50688 bytes
SHA256 hash: 84ef5406a61b4fb0703768a120e9f107d569387276357d88ef77c936c1ec109a
MD5 hash: dda0e41140a88f59ca25f4f987a8e862

When the user opened the document, they saw the following blank document.

Blank document containing Dridex trojan hidden in macro

Blank document containing Dridex trojan hidden in macro

Probably thinking that enabling macros would make the document display correctly, the victim enabled macros, which triggered the malicious payload.

Detection

Cisco MTD investigators use IP lists from botnet trackers to hunt for Dridex connections, correlating related alerts and full packet capture to verify the compromise. In this case, a victim was discovered exfiltrating data to the Dridex botnet, as illustrated below.

Illustrated NetFlow output showing compromised host connection to the Dridex Botnet

Illustrated NetFlow output showing compromised host connection to the Dridex Botnet

Correlation with Alerts and Packet Capture

Once the connection was observed, the Cisco MTD investigator searched for correlating events to confirm the breach. The Sourcefire retrospective file event below demonstrated that the compromise was progressing. Due to the low detection by antivirus, the malicious document nor the malware downloaded by the macro were blocked by endpoint controls; the final payload, the Dridex trojan, started running on the target host. Here’s the initial alert.

Retrospective file alert for Dridex trojan downloaded to victim

Retrospective file alert for Dridex trojan downloaded to victim

Once the investigator observed the malicious file alert, he searched and correlated an HTTP POST connection to the Dridex malware command and control (C2) server. Using full packet capture, the Cisco MTD investigator analyzed the HTTP POST and correlated a final confirmation, the telltale indicators of Dridex inside the HTTP header, shown below.

Unique parameters found in HTTP POST transmissions from a Dridex infected host

Unique parameters found in HTTP POST transmissions from a Dridex infected host

Uncovering the Dridex Configuration Files

The server at IP address 85.143.166.72 is located in Russia and has been used for hosting malware for the past 11 months.

The server responded to the POST connection with a large transfer of 379,549 bytes containing configuration information for the Dridex malware. This file tells the malware on which websites to intercept passwords from users. Specifically, it lists 338 online banking websites. In this case, most of the banks are in Europe, UK, or Asia. If an infected victim visits one of these banks’ websites, the malware will copy the authentication credentials and send it to the Dridex botnet.

As an added capability, Dridex can inject HTML as the bank websites are displayed to ask the user for extra information, such as their Social Security number or ATM PIN, at login. This extra information is also sent to the botnet to be used for financial fraud and identity theft.

The packets captured during this attack enabled the investigator to study the trojan hidden inside the macro. It was obfuscated with random code that is never called so as to avoid malware detection controls found in antivirus software. Buried in all the junk code was this string of hex-encoded values:

Private Const VoN = "687474703A2F2F36322E37362E3138382E3232312F616B736A6464657277642F61736462776B2
F64686F65692E657865"

When macros are enabled and the macro runs, this string of Hex numbers is converted to ASCII to create the URL of the payload:

hxxp://62[.]76[.]88[.]221/aksjdderwd/asdbwk/dhoei.exe
Filename: dhoei.exe
SHA256: 2ad9b362775fe8a5a70ea4707325699123480e2827abdd2893ff566b80e86ea8
MD5: 01f2a64aa594fceab83bf8818a312a44

This EXE downloaded by the macro is saved as %TEMP%\dsHHH.exe on the host. At the time of analysis, this binary was detected as malware by only 7 of 57 antivirus programs.

Cisco MTD research found that variations of the macro used in this attack got the Dridex download from different locations including:

hxxp://92[.]63[.]87[.]40/aksjdderwd/asdbwk/dhoei.exe
hxxp://95[.]163[.]121[.]217/aksjdderwd/asdbwk/dhoei.exe
hxxp://95[.]163[.]121[.]219/aksjdderwd/asdbwk/dhoei.exe
hxxp://62[.]76[.]188[.]221/aksjdderwd/asdbwk/dhoei.exe

Upon execution, the EXE creates a DLL file which was detected as malicious by only 3 of 57 antivirus programs. This DLL implements the infostealer functions of Dridex and communicates with the Dridex botnet. To do that, it uses a configuration file containing the botnet number and IP addresses of the botnet servers:

<config

botnet=”120″

servers=”85.143.166.72;205.185.119.159:8080;92.63.88.97″

/>

Conclusion

This case shows the value of leveraging security intelligence intersected with network forensics via NetFlow. Vigilant detection is necessary to catch advanced threats, since they are designed to evade existing security controls such as antivirus software. These tools, along with confirmation via full packet capture, enabled investigators to detect the malware, confirm the breaches, trace out the origin of the attacks, and guide the customer to safely mitigate this threat. Armed with this understanding, customers changed at-risk passwords with pinpoint precision, and guided users to watch for this new phishing campaign, advising them not to enable macros when receiving unexpected documents.

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

2 Comments

  1. Great article Martin. "The binary was detected as malware by only 7 of 57 antivirus programs". This is scary!!! What would you attribute such a low detection rate by the other 50 AV?

    • Murilo: Advanced malware is designed to avoid detection. Attackers use techniques like polymorphism to prevent signature-based detection such as antivirus from spotting the attack and remaining one step ahead.