Fake Order Malspam Campaign: Macro Enabled Doc Downloads Dridex

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a malspam campaign disguising itself as an order confirmation that was actually a macro enabled Microsoft Word document that downloads the Dridex financial malware.

Below is a screenshot of what an example of this campaign looks like:

Screen Shot 2015-11-12 at 1.15.54 PM

Some of the important details about the email that can be used for detection purposes:

Return-Path: <horia.porumboiu@professionalbrands[.]ro>
Received: from mail.professionalbrands[.]ro (mail.professionalbrands[.]ro. [81.12.183[.]62])
Subject: P23Y229N
Attachment: END26O4Z4X3.doc

Upon opening the malicious Word document (MD5: ADA694A6D66547CC06E132EE44424544), if Macros are disabled, the victim will be presented with a commonly used (in similar malspam campaigns) image politely asking the end user to enable “Macroses” (Macros) in order to “view” the non-existent content

Screen Shot 2015-11-12 at 2.18.04 PM

Enabling Macros will only allow the malicious embedded VBA code to run, which reaches out to agentseek[.]com/mg.jpg?614 (52.8.32[.]9) to download the Dridex payload, as can be seen in the image below:

Screen Shot 2015-11-12 at 1.58.40 PM

We can quickly see that the downloaded content appears to be a JPEG image, but it is actually the encoded payload. The JPEG file (MD5: D752837D0EE0E5D49D1F72F52279948E) is downloaded to the following location on disk:

C:\Users\{Username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZNL4QWHR\mg[1].jpg

Once it has been decoded, the payload (MD5: 1E8F525EE60DFAD995793A7F7508F83D) is written to disk and launched from the following location on disk:

C:\Users\{Username}\AppData\Roaming\U77feFVT30iLq2066.exe

Screen Shot 2015-11-12 at 4.34.02 PM

The payload has been detected as Dridex by multiple vendors on VirusTotal: https://www.virustotal.com/en/file/d44d8801daf2c7fd27ce513230a89e620b5c55f1d14ff0a692801016e76729ec/analysis/

By dumping the process memory from our Dridex payload, we can quickly see some IP addresses and ports it will reach out with for initial communications, presumably to obtain the peer node lists.

Screen Shot 2015-11-12 at 5.13.59 PM

The above IP address and port combinations are:

85.214.71[.]240:4438
188.165.152[.]190:4438
46.37.1[.]88:473
91.142.221[.]195:5445

According to LookingGlass’ ScoutVision, the second C&C IP address has been an active C&C since at least November 7th, and the third and fourth IP addresses have been active since at least October 24th.

Since Dridex has already been identified and analyzed in detail by numerous other security researchers, we decided to stop our analysis here. The LookingGlass CTIG recommends blocking any emails from the malspam sender, as well as blocking any network communication to or from any of the IP addresses or domain listed below.

Summary of IOCs:

horia.porumboiu@professionalbrands[.]ro
81.12.183[.]62
agentseek[.]com/mg.jpg?614
52.8.32[.]9
85.214.71[.]240:4438
188.165.152[.]190:4438
46.37.1[.]88:473
91.142.221[.]195:5445
ADA694A6D66547CC06E132EE44424544
D752837D0EE0E5D49D1F72F52279948E
1E8F525EE60DFAD995793A7F7508F83D
C:\Users\{Username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZNL4QWHR\mg[1].jpg
C:\Users\{Username}\AppData\Roaming\U77feFVT30iLq2066.exe