Not dead yet: Dridex actors resume operation with new distribution and Shifu banking Trojan

Following a month-long hiatus after a number of arrests, and despite a recent reported takedown, Dridex actors appear to have taken the recent disruptions as a challenge to bounce back better than ever. Proofpoint researchers analyzed the activity in the recent return to operations of the Dridex actors and identified numerous changes in behavior, from technical innovations to distributing other banking and data-stealing malware. Key points include:

• Dridex spam ceased in the month of September following the arrest of Andrei Ghincul, aka Smilex, allegedly responsible for much of Dridex spam. [1] [2] [3]
• Dridex spam resumed at the beginning of October, with all of the sub-botnets delivered by the same spam botnet.
• Dridex 220 botnet operations resumed on October 1 and have been going strong since.
• Dridex 120 operations resumed on October 16.
• Proofpoint observed a new Dridex botnet ID 301 and a rarely-seen Dridex botnet ID 121.
• Proofpoint observed return of exceptional volumes of spam, with multiple days exhibiting message volumes at or above the busiest days of the past six months.
• The same spam botnet that distributes Dridex also spread the Shifu banking Trojan, targeting Japanese and UK users and demonstrating that the actors are willing to diversify.
• The botnet also spread Ursnif data-stealing malware targeting Australian users.

The Five Elements of a Modern Attack

When attempting to decipher the recent developments around Dridex it may be useful to place them in the context of the larger framework employed by many modern cyberattackers. Such a framework typically consists of five elements: Actor, Vector, Hoster, Payload, and C2.

1. Actor: The attacker organization; real humans driven by various motivations, often financial for cybercriminals.
2. Vector: The delivery mechanism; email via attacker-controlled or leased spam botnet is a dominant vector, though social media is growing.
3. Hoster: The sites hosting malware; if malware is not directly attached to email, macro-enabled documents or exploit-kit emplaced droppers will source from these sites.
4. Payload: The malware; software that will enable the attacker to make use of (control, exfiltrate data from, download more software to) the target computer.
5. C2: the command and control channel that serves to relay commands between the emplaced malware and attackers.

This framework enables attackers to operate in robust, horizontally segmented ecosystems, specializing in developing certain parts of the framework, and selling or leasing to others; such frameworks are resistant to takedowns and individual component failures. But such frameworks also increase attackers' detection surface; that is, their susceptibility to discovery. By tracking each of these elements, defenders can infer other elements and take the appropriate defensive measures. 

Dridex botnets observed

Dridex 220 operations resumed on October 1 and have been going strong since. The Dridex 220 botnet takedown announced October 13 seemed to be followed by just a 1-day pause in spam activity, on October 14. Proofpoint has since observed fourteen daily Dridex 220, and testing shows that this malware is currently able to successfully pull down DLLs and configuration files.

Dridex 120 operations resumed on October 16 and Proofpoint has since observed seven daily campaigns for this botnet. In addition, Proofpoint observed new sub-botnet IDs, specifically 301 and 121. The following are the specific Dridex botnets and the dates on which they were observed by Proofpoint:

• Dridex 220: October 1, 5, 6, 7, 8, 9, 12, 13, 15, 19, 21, 22, 23, 26
• Dridex 120: October 16, 19, 20, 22, 26, 27, 28
• Dridex 121: October 19
• Dridex 301: October 22

Dridex spam volumes and observations

In these spam campaigns, Proofpoint researchers noted the following details:

• October 22 was remarkable in that we detected 4 Dridex spam campaigns: Dridex botnets 120, 220 (morning and evening) and 301 were all distributed by spam bots in a single day
• The largest volume of messages sent out in a single campaigns was two times the average message volume of Dridex campaigns in October (Dridex Botnet 220 - 19th October)
• The smallest volume of email messages sent out in a single campaign was a sub-100 message campaign for Dridex botnet 121 on October 19
• We continue to see invoice and transaction email lures (Fig. 1) used widely
• Most of the emailed malicious document attachments are empty or used a generic “Enable macros to view this document” lure. However, the tiny Dridex 121 campaign of October 19 employed an interesting document lure (Fig. 2)

Figure 1: Invoice lure from October 21 Dridex 220 campaign

Figure 2: High-quality document lure from October 19 Dridex 121 campaign

Shifu banking Trojan

The same botnet (consisting of around 4 to 10 thousand infected spam machines, depending on the day) distributing Dridex 120, 220, 121 and 301 [5], was also observed distributing the Shifu banking Trojan, demonstrating that the actors are willing to diversify or are looking for additional options should law enforcement actions prove successful.

First reported in late August [6], the Shifu banking Trojan combines features from numerous other well-known banking Trojans, including Zeus, Dyre, Dridex and others. While this sophisticated hybrid employs a configuration file similar in format and technique to that of Dridex, it also has stealth, obfuscation, anti-analysis, C2 and even anti-malware [7] capabilities that Dridex does not, and has to date been observed targeting primarily banking customers in Japan and the UK.

On October 7, the botnet sent out emails in Japanese claiming be a confirmation for an order, but which in reality contained attachments such as "1312061102_13233939se.doc" that used macros to download a Shifu banking Trojan targeting Japanese users.

Figure 3: Email with order confirmation lure distributing Shifu targeting Japanese users

On October 20, another campaign was observed using messages with the Subject "Purchase Order No: 48847" and containing attachment "PO_48847.DOC,” or with subject "john.doe@somecompany.com" (the recipient's address) and attachment "FINAL NOTIFICATION.xls." The attachments are Microsoft Office documents containing malicious macros which download Shifu banking Trojan, this time targeting customers of banks in the United Kingdom. [4] (Fig. 4)

Figure 4: Email with order confirmation lure distributing Shifu targeting UK users

We previously observed this spam botnet spreading primarily Dridex, which might be taken to suggest that it was under the control of a single group or small set of individuals. On its own, however, this fact is not enough to connect these instances of Shifu to the actors distributing Dridex; for example, the infected machines could be infected with more than one spam bot, or the spammer could simply be doing a friend a favor. However, additional analysis revealed other commonalities: for example, the builder used to generate the Shifu documents was the same one used by Dridex 220, with similar file names, empty document body, similar payload location URI structure (that is, location from which the Microsoft Word document downloads the Shifu or Dridex payload).

Example Payload URLs for October 20 Shifu:

[hxxp://ladiesfirst-privileges[.]com/656465/d5678h9.exe]

[hxxp://papousek.kvalitne[.]cz/656465/d5678h9.exe]

[hxxp://pmspotter[.]wz[.]cz/656465/d5678h9.exe]

Example Payload URLs for October 19 Dridex 220:

[hxxp://demo9.iphonebackstage[.]com/35436/5324676645.exe]

[hxxp://euroagroec[.]com/35436/5324676645.exe]

[hxxp://webmatique[.]info/35436/5324676645.exe]

On October 28, Proofpoint researchers observed another large campaign that appeared to be from the same actor, also distributing Shifu and targeting UK users with an “Order Confirmation” lure and malicious document attachment. In another example of this actor’s continued variation of payloads, the campaign employed a Neutrino Bot as the initial payload, which then downloaded Shifu as a second payload.

Ursnif data-stealing malware

In October, this same spam botnet was observed also spreading Ursnif data-stealing malware. For example, on October 21 there was a campaign of Australian-targeted emails containing randomly named attachments that used malicious macros to download Ursnif. Interestingly, the documents employed the same visual template as was utilized by Dridex sub-botnet 200 back in April 2015. (Fig. 5)

Figure 5: Document that downloads Ursnif once macros are enabled

The Ursnif sample analyzed by Proofpoint targeted users of the following banking sites:

suncorpbank.com.au

commbank.com.au

bendigobank.com.au

westpac.com.au

stgeorge.com.au

banksa.com.au

bankofmelbourne.com.au

nab.com.au

anz.com

ibanking.*.au

bankwest.com.au

banking?.anz.com

wintrade-international.com.au

Conclusion

Recent observations by Proofpoint researchers have confirmed that the Dridex 220 botnet more than survived recent takedown attempts. Moreover, these analyses show that the actors behind the Dridex 220 botnet are in fact also behind recent Shifu campaigns in the UK and Japan, and at least one Ursnif campaign targeting Australian banking customers. These findings underscore the resilience and adaptability of these actors and highlight the danger they continue to pose to individuals and organizations.

References

[1] https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

[2] https://isc.sans.edu/forums/diary/Botnets+spreading+Dridex+still+active/20295

[3] www.justice.gov/opa/pr/bugat-botnet-adaministrator-arrested-and-malware-disabled

[4] https://www.lexsi.com/securityhub/dridex-bruteres-inside-the-dridex-spam-machine/?lang=en

[5] http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/

[6] https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

[7] http://www.darkreading.com/vulnerabilities---threats/new-shifu-banking-trojan-an-uber-patchwork-of-malware-tools/d/d-id/1322039

IOCs