Introduction
Botnetscontinually send out malicious spam (malspam). As mentioned inprevious diaries, we see botnet-basedmalspamdelivering Dridexand Dyremalwarealmost every day [1, 2]. Recently, someone sent us a malicious Word documentfrom what appeared to beDridex malspam on Tuesday 2015-06-16. (Thanks, Wayne... You know who you are!) Unfortunately, while investigating the malware, I could not generate the full range of infection traffic. Otherwise, the traffic follows the same general patterns wevepreviously seen with Dridex">].
Examples of the malspam
Dridex has been using Microsoft Word documents and Excel spreadsheets designed to infect a computer if macros are enabled, which matches the infection vector used by this malspam. Shown below are two examples of themalspam from Tuesday2015-06-16. Both examples claim the recipient has made an error in tax forms. This wave of malspam used aWord documentfor the malicious attachment. As seen before with botnet-based malspam, the emailshave different senders, subject lines, attachment names, and message text. Due to these" />
Examples of the Word documents
The image below shows an example of a Word documentsent on 2015-06-16. File names consist of random characters. Random characters are also seen in the Authors and Last saved by" />
Macros are not enabled in the default installation for Microsoft Office. " />
Traffic seems typical ofDridex weve seen the past couple of months. Last month,the follow-up executable was retrieved from a pastebin.com URL over HTTP. " />
The attempted TCP connections shown below would normally result in SSL traffic, butthe servers did not respond. Thats probably an issue forthis particular sample or possibly my environments connection to the Internet.
- 5.144.130.35 port 80 - dolphin2000.ir - GET /tmp/89172387.txt
- 5.144.130.35 port 80 - dolphin2000.ir - GET /tmp/lns.txt
- 1.1.5.4 - Echo (ping) request
- www.dropbox.com - GET /s/2djqlpaqdudzlrx/iol.exe?dl=1 (https)
- 5.9.99.35 port 80 - savepic.su - GET /7230030.png
- 5.9.99.35 port 80 - savepic.su - GET /images/notfound.png
- 176.9.143.115 port 2443 - attempted TCP connection
- 185.12.94.48 port 7443 - attempted TCP connection
- 193.13.142.11 port 8443 - attempted TCP connection
- 176.9.143.115 port 2443 - attempted TCP connection
- 185.12.94.48 port 7443 - attempted TCP connection
Reviewing the traffic in Security Onion using the Emerging Threats and ET PRO signature sets shows a few Snort events, as shown in the image below. Theres nothing Dridex-specific in the events, and Ive seen savepic.su used before with malspam usingChanitortosendVawtrak[3, 4]. At first, I wasntcertain this was Dridex, but the VirusTotal" />
Malware
The following artifacts were retrieved from the infected Windowshost:
- C:UsersusernameAppDataLocalTemp21807.bat
- C:UsersusernameAppDataLocalTemp21807.ps1
- C:UsersusernameAppDataLocalTemp21807.vbs
- C:UsersusernameAppDataLocalTemp8.exe
- C:UsersusernameAppDataLocalTemp444.jpg
The file 8.exe is an executable that deletes itself shortly after it isexecuted.
Final words
Botnet-basedmalspam is something we see almost every day. A quick Google search on Dridexreturns severalarticles withgood insight into this malware. However, traffic from Dridex and other botnetscontinually evolve. Whats current one weekcould be out-of-date the next.
If you run across any interesting malspam, feel free to use our contact form and send us a copy. however, were always interested in the samples.
Traffic and the associated malware for this diary can be found at:
- http://malware-traffic-analysis.net/2015/06/16/2015-06-16-possible-Dridex-traffic.pcap
- http://malware-traffic-analysis.net/2015/06/16/2015-06-16-possible-Dridex-malware.zip
The zip file is protected with the standard password. If you dont know it, email admin@malware-traffic-analysis.net and ask.
---
Brad Duncan
ISC Handler and Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://isc.sans.edu/diary/Recent+Dridex+activity/19687
[2] https://isc.sans.edu/diary/UpatreDyre+the+daily+grind+of+botnetbased+malspam/19657
[3] http://malware-traffic-analysis.net/2015/03/24/index2.html
[4] http://www.rackspace.com/blog/malicious-email-campaign-spreads-vawtrak-malware/
[5]https://www.virustotal.com/en/file/1ea2548ae6060765f125ed6173eeabf167eb53d70adde6f2c293b179526909ca/analysis/