Dridex, JavaScript, and Porta Johns

Yes, portable toilets. Dridex actors are getting creative.

But let's take a step back. Proofpoint researchers began tracking a new Dridex campaign today with some unusual features (as well as the millions of messages, which have become the new normal for these very large Dridex campaigns). This campaign is actually combining three different methods for distributing its payload in an attempt to increase its effectiveness.

The final payload is Dridex botnet ID 220 and this campaign is targeting the UK users (with injects for UK, AU and FR banks). While the targeting and botnet are nothing new, the combined vectors are. The messages sent in this campaign include:

  • Both Microsoft Word and Excel attachments with malicious macros
  • Document-based exploits that automatically download Dridex when the documents are opened on vulnerable systems (CVE-2015-1641 and possibly CVE-2012-0158)
  • Zipped JavaScript attachments disguised as PDF documents. This is a new approach for Dridex, although the JavaScript functions identically to the documents, attempting to download Dridex when executed by user.

Only one vector occurs in each email, so the actors rotated among them throughout the campaign.

As promised, though, the invoice itself claims to be for portable toilet rental. While some users may immediately discard this as spam (how many of us rent portable toilets regularly?), others may open the documents out of sheer curiosity.

Figure 1: Email from recent Dridex campaign with a fake invoice for portable toilet rental

When the Zip compressed JavaScript file is opened, we can see that it isn't a PDF that is extracted, but rather a .js file:

Figure 2: JavaScript file extracting from the zipped fake invoice

Further inspection shows that the JavaScript is highly obfuscated to deter detection by AV clients.

Figure 3: Extracted JavaScript file

On Windows systems, the JavaScript file looks innocuous enough and runs automatically when double clicked:

Figure 4: JavaScript file in Windows

When double-clicked, the JavaScript downloads the Dridex binary:

Figure 5: JavaScript file in Windows

In general, Dridex campaigns have been using macros almost exclusively to deliver their payloads as in the example below:

Figure 6: Email with an attached Excel file with a malicious macro that downloads Dridex

The document exploit looks similar but requires no user intervention other than opening the attached document on a vulnerable system. This, like the Javascript vector, is quite unusual for Dridex:

Figure 7: Email with an attached Word document with built-in document exploits

If the exploit is successful, users are presented with a decoy document:

Figure 8: Successful document exploit that drops Dridex

Although this is the moral equivalent of Hello World, it does, in fact, work on vulnerable systems. This decoy document is likely customizable and was meant to present something to make the user less suspicious, instead of this testing or debugging text.

 

The key takeaways here are:

  1. Dridex actors are getting creative in the vectors they use to deliver their payloads and are exploring new means for hiding from antivirus software and other detection measures
  2. Curiosity can, in fact, kill the cat - It is always worth reminding users not to open unusual or suspect attachments.

 

IOCs

Payloads downloaded by macro

URLS

  • [hxxp://xinchunge.com/xinchunge.com/43rf3dw/34frgegrg.exe]
  • [hxxp://taukband.com/43rf3dw/34frgegrg.exe]
  • [hxxp://www.prestigehomeautomation.net/43rf3dw/34frgegrg.exe]
  • [hxxp://best-drum-set.com/43rf3dw/34frgegrg.exe]
  • [hxxp://2696666.com/43rf3dw/34frgegrg.exe]
  • [hxxp://www.fisioescorial.es/43rf3dw/34frgegrg.exe]
  • [hxxp://obstipatie.nu/43rf3dw/34frgegrg.exe]

Command and Control IPs

  • 91.239.232.145:1743
  • 103.245.153.70:343
  • 185.24.92.236:1743
  • 144.76.73.3:1743
  • 103.23.154.184:443
  • 141.89.179.45:443
  • 148.202.223.222:443
  • 174.70.100.90:443
  • 176.53.0.103:443
  • 181.177.231.245:443
  • 181.53.255.145:444
  • 185.47.108.92:443
  • 188.126.116.26:443
  • 193.17.184.250:443
  • 194.126.100.220:443
  • 194.95.134.106:443
  • 200.57.183.176:443
  • 41.38.18.230:443
  • 41.86.46.245:443
  • 46.183.66.210:443
  • 5.9.37.137:444
  • 62.109.133.248:444

 

Subscribe to the Proofpoint Blog