Fake Order Malspam Campaign: Macro Enabled Doc Downloads Dridex

The LookingGlass Cyber Threat Intelligence Group (CTIG) observed a malspam campaign disguising itself as an order confirmation that was actually a macro enabled Microsoft Word document that downloads the Dridex financial malware.

Below is a screenshot of what an example of this campaign looks like:

Screen Shot 2015-11-12 at 1.15.54 PM

Some of the important details about the email that can be used for detection purposes:

Return-Path: <horia.porumboiu@professionalbrands[.]ro>
Received: from mail.professionalbrands[.]ro (mail.professionalbrands[.]ro. [81.12.183[.]62])
Subject: P23Y229N
Attachment: END26O4Z4X3.doc

Upon opening the malicious Word document (MD5: ADA694A6D66547CC06E132EE44424544), if Macros are disabled, the victim will be presented with a commonly used (in similar malspam campaigns) image politely asking the end user to enable “Macroses” (Macros) in order to “view” the non-existent content

Screen Shot 2015-11-12 at 2.18.04 PM

Enabling Macros will only allow the malicious embedded VBA code to run, which reaches out to agentseek[.]com/mg.jpg?614 (52.8.32[.]9) to download the Dridex payload, as can be seen in the image below:

Screen Shot 2015-11-12 at 1.58.40 PM

We can quickly see that the downloaded content appears to be a JPEG image, but it is actually the encoded payload. The JPEG file (MD5: D752837D0EE0E5D49D1F72F52279948E) is downloaded to the following location on disk:

C:\Users\{Username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZNL4QWHR\mg[1].jpg

Once it has been decoded, the payload (MD5: 1E8F525EE60DFAD995793A7F7508F83D) is written to disk and launched from the following location on disk:


Screen Shot 2015-11-12 at 4.34.02 PM

The payload has been detected as Dridex by multiple vendors on VirusTotal: https://www.virustotal.com/en/file/d44d8801daf2c7fd27ce513230a89e620b5c55f1d14ff0a692801016e76729ec/analysis/

By dumping the process memory from our Dridex payload, we can quickly see some IP addresses and ports it will reach out with for initial communications, presumably to obtain the peer node lists.

Screen Shot 2015-11-12 at 5.13.59 PM

The above IP address and port combinations are:


According to LookingGlass’ ScoutVision, the second C&C IP address has been an active C&C since at least November 7th, and the third and fourth IP addresses have been active since at least October 24th.

Since Dridex has already been identified and analyzed in detail by numerous other security researchers, we decided to stop our analysis here. The LookingGlass CTIG recommends blocking any emails from the malspam sender, as well as blocking any network communication to or from any of the IP addresses or domain listed below.

Summary of IOCs:

C:\Users\{Username}\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZNL4QWHR\mg[1].jpg