High-Volume Dridex Banking Trojan Campaigns Return

[Updated April 7, 2017, to reflect additional campaigns and new activity by this actor]

Overview

Instances of the Dridex banking Trojan were frequently distributed in high-volume email campaigns throughout 2015 and the first half of 2016. While Dridex actors largely turned to distributing Locky ransomware later in 2016, Trojan Dridex remained popular for distribution in lower-volume and personalized or targeted attacks. The first quarter of 2017, however, has largely been devoid of any high-volume campaigns, with most analysts attributing the relative quiet to a disruption in the Necurs botnet that had previously been used for mass distribution of Locky and Dridex.

Now, however, Proofpoint researchers have observed the first two large-scale Dridex campaigns this year: Dridex botnet ID 7200, many in double-zipped archive attachments. These multi-million message campaigns have similar distribution in some cases to previous massive Locky campaigns and suggest that the these threat actors’ sending infrastructure is returning to full operation.

Analysis

Beginning March 30, 2017, Proofpoint researchers observed a spike in massive Dridex malware campaigns spreading via various methods. The figure below shows the relative Dridex message volumes observed in recent campaigns; the spike represents millions of messages compared to the low volumes observed recently.

Figure 1: Recent indexed Dridex campaign volumes, since the beginning of 2017

Looking at a longer time frame, while the current spike in volume represents a comeback of large-scale activity, it is still only a fraction of the all-time-high volumes of Dridex-bearing messages we observed in the first half of 2016.

Figure 2: Dridex analysis of message volumes since October 2015

March 30 Campaigns Analysis

On March 20, 2017, we observed an instance of Dridex malware with botnet id 7200 spreading via Zip- or RAR-compressed VBS and EXE attachments. The messages in the campaign included:

• Subject line "Your Booking 12345678" (random digits) and matching attachment "Direct-Documentation 12345678-1.zip"
• Subject line "Emailing: P1234567.JPG" (random digits) and matching attachment "P1234567.JPG.zip"

The attachments were

• Double-zipped VB scripts
• Double-zipped executables
• Zipped RAR archives containing executables

If executed, the scripts downloaded an instance of the Dridex banking trojan with botnet ID "7200". Some of the payloads were the intermediate "Quant Loader", which in turn downloaded Trojan Dridex. We observed this instance of Dridex targeting organizations in France, the UK, and Australia.

Figure 3: Example email delivering Dridex botnet ID 7200 on March 30, 2017

March 31 Campaigns Analysis

On March 31, we observed a Dridex botnet id 7200 campaign spreading via Zip-compressed executables. Specifically, email messages included

• Subject line "Payment Request", containing an attachment such as "Invoice_123456~002.zip" (random digits)
• Subject line "[GameStop] Order No.654321" (random digits), with an attachment such as 123456-789012-20170331-345678-cdef1234-5678-90ab-cdef-0123456789ab.zip" (random digits and hexadecimal digits)

The attachments were Zip archives containing an executable and a benign decoy PDF file named "info.pdf". The executables were Smoke Loader, which in turn downloaded the Dridex banking Trojan with botnet ID "7200".

Figure 4: Example email delivering Trojan Dridex botnet ID 7200 on March 31, 2017, using stolen branding and an outdated domain to add legitimacy to the lure

Another campaign on this day delivered messages with

• Subject "Thank you for your order (ES87654321) [SEC=UNCLASSIFIED]" (random digits) and matching Microsoft Word attachment "RAMACK_ES87654321_20160330123.DOC" (random digits after the date)
• Subject "Your on board receipt from JQ1234 - ABCDEF - 2017-03-30" (random digits and letters) with the attachment "receipt.zip"

The document attachment used macros to download Dridex botnet 7500. Inside the zip was another zip and then finally a Dridex botnet 7500 executable. This instance of Dridex was recently observed targeting organizations in Australia.

Figure 5: Example email delivering Dridex malware botnet ID 7500 on March 31, 2017

Figure 6: Screenshot of the document contained in the Dridex email

Similarity with mass-spammed Locky Affid=3 campaigns

We also identified similarities between these large Dridex campaigns and the mass volume Locky affiliate ID 3 campaigns from 2016. We identified similar links between Dridex affiliate 220 and Locky affiliate 3 campaigns. Specifically:

The email lures generated by the spammer are similar:

• “From” is typically a random first name or random first name/last name combination with a random domain, e.g. “Jean” <Jean@somedomain.com> or “john doe” <john.doe@somedomain> (idiosyncratically using lower case for the last name)
• Randomized filenames using random digits or hexadecimal digits, often reflected in the subject as well as the attachment
• Some campaigns use a fixed “From” with a random domain, e.g. “Administrator” <admin@somedomain.com>
• Campaigns are often pretending to be document scans

Malicious Javascript, VBScript, or Microsoft Word macros are similar:

• Macros and VBScript executables have payload URLs stored in a string array separated by “+”
• JavaScript executables have payload URLs stored Base64-encoded with an obfuscating “junk” string inserted
• Payloads are encrypted with a 32-byte XOR key

Figure 7: VBScript fragment from Locky Affid=3 campaign on December 21, 2016. This figure shows the payload URLs stored in a string array separated by “+”.

Figure 8: VBScript fragment from Trojan Dridex botnet 7200 campaign on March 30, 2017. This figure shows the payload URLs stored in a string array separated by “+”.

Figure 9: JavaScript fragments from Locky Affid=3 campaign on December 21, 2016

Figure 10: JavaScript fragments from a smaller Dridex botnet 7200 campaign on March 24, 2017

Conclusion

The re-emergence of high-volume Trojan Dridex campaigns raises questions about the types of attacks we will see from these actors in the coming months. It appears likely that large-scale malware spam may be returning after a three-month hiatus, but Dridex malware itself has been used extensively for some time now in smaller attacks as well. These campaigns still have not reached volumes we experienced with Dridex in the first half of 2016 and are not even approaching the massive volumes of many later Locky campaigns. They are notable, however, because of the contrast with the relative quiet of the first quarter of 2017. They also bear watching because of the variety of attachment types they are employing and the similarities to campaigns from some of the most prolific Locky and Dridex actors we have tracked over the last two years.

[Update: April 7, 2017]

Since we first reported the return of high-volume Dridex campaigns in this blog, we have observed additional campaigns worth noting. While the small-scale campaigns typical of the last six months continue, two more multi-million message campaigns targeting recipients in the United Kingdom were observed again this week. While banking Trojans, including Trojan Dridex, typically appear in campaigns early in the week, these again occurred on Thursday and Friday of this week.

The first, which began on April 6, included messages that were

• From "JOHN DOE <Johndoe@[random domain]>" (random name) with subject "12_Invoice_3456" (random digits) and attachment "PAY_4321.zip" (random digits)
• From '"C.E.F." <sales@[random domain]>' with subject "CEF Documents" and attachment "MTM123456_001.zip" (random digits)

The attachments contained zipped Microsoft VBScript files or zipped executables that, when decompressed and run, installed Godzilla Loader. Godzilla, in turn, installed Dridex malware botnet ID 7200. This group does not typically use Godzilla as an intermediate loader, although we have observed its use in other campaigns. The zip archives also featured harmless decoy PDF documents named "info_PAY_12345" (random digits) or "LETTER.PDF".

The second campaign, launched on April 7, included two different types of lures, attachments, and payloads:

• Messages claiming to attach a "Customer Statement"
  • The attachment is a double-zipped macro-enabled Microsoft Word file (.docm)
  • When the user decompresses the archive files and enables macros in the Microsoft Word document, the macros download and install Dridex botnet ID 7200
• Message claiming to attach an image file (PIC1234567.PNG; with random digits and various image file extensions)
  • The attachment is a double-zipped VBScript file
  • When executed, the VBScript downloads and installs the Kegotip information stealer

Kegotip has been making something of a resurgence lately and, last year, we observed Locky ransomware, Pony stealer, and Dridex malware, in addition to Kegotip, distributed via the RockLoader intermediate loader. RockLoader was primarily associated with Locky when we first discovered the malware. We will continue to monitor this actor and related campaigns to determine how intermediate and primary payloads will evolve, but this week’s continued activity indicates that this prolific threat actor is at least attempting a return to sustained, large-scale malware distribution campaigns.

Indicators of Compromise (IOCs)

ET and ETPRO Suricata/Snort Coverage

2023476 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
2404322 | ET CNC Feodo Tracker Reported CnC Server group 23
2022124 | ET TROJAN Sharik/Smoke Loader Microsoft Connectivity Check
2821148 | ETPRO TROJAN Sharik/Smoke Checkin 2
2816171 | ETPRO TROJAN Smoke/Sharik HTTP 404 Containing EXE