Yes, portable toilets. Dridex actors are getting creative.
But let's take a step back. Proofpoint researchers began tracking a new Dridex campaign today with some unusual features (as well as the millions of messages, which have become the new normal for these very large Dridex campaigns). This campaign is actually combining three different methods for distributing its payload in an attempt to increase its effectiveness.
The final payload is Dridex botnet ID 220 and this campaign is targeting the UK users (with injects for UK, AU and FR banks). While the targeting and botnet are nothing new, the combined vectors are. The messages sent in this campaign include:
- Both Microsoft Word and Excel attachments with malicious macros
- Document-based exploits that automatically download Dridex when the documents are opened on vulnerable systems (CVE-2015-1641 and possibly CVE-2012-0158)
Only one vector occurs in each email, so the actors rotated among them throughout the campaign.
As promised, though, the invoice itself claims to be for portable toilet rental. While some users may immediately discard this as spam (how many of us rent portable toilets regularly?), others may open the documents out of sheer curiosity.
Figure 1: Email from recent Dridex campaign with a fake invoice for portable toilet rental
In general, Dridex campaigns have been using macros almost exclusively to deliver their payloads as in the example below:
Figure 6: Email with an attached Excel file with a malicious macro that downloads Dridex
Figure 7: Email with an attached Word document with built-in document exploits
If the exploit is successful, users are presented with a decoy document:
Figure 8: Successful document exploit that drops Dridex
Although this is the moral equivalent of Hello World, it does, in fact, work on vulnerable systems. This decoy document is likely customizable and was meant to present something to make the user less suspicious, instead of this testing or debugging text.
The key takeaways here are:
- Dridex actors are getting creative in the vectors they use to deliver their payloads and are exploring new means for hiding from antivirus software and other detection measures
- Curiosity can, in fact, kill the cat - It is always worth reminding users not to open unusual or suspect attachments.
Payloads downloaded by macro
Command and Control IPs
Subscribe to the Proofpoint Blog