Dridex Malware Targets Email Users In New Spam Campaign

Dridex Malware Targets Email Users In New Spam Campaign

Heimdal Security  has spotted a new spam campaign that seeking to trick email users into downloading a banking malware dubbed Dridex.

In this spam campaign  email messages are delivered with a .doc attachment that contains macros, which attempt to download Dridex.

The contents of each spam message reads as follows:

From: [spoofed / fake return address]

Subject Line: Scanned from a Xerox Multifunction Printer

Body: Please open the attached document. It was scanned and sent to you Using a Xerox Multifunction Printer.

Attachment File Type: DOC, Multi-Page

Multifunction Printer Location:

Device Name: XRX9C934E5EEC46

For more information on Xerox products and solutions, please visit http://www.xerox.com

Attached: Scanned from a Xerox Multifunction Printer.doc

After opening a document it attempts to use the macros to retrieve Dridex from the following locations:

hxxp: // tgequestriancentre [.] co.uk/708/346.exe
hxxp: // sudburyhive [.] org / 708 / 346.exe
hxxp: // werktuigmachines [.] be / 708 / 346.exe
hxxp: // colchester-institute [.] com / 708 / 346.exe

Dridex is has a evasive capability by running in memory and never moving a file into the hard drive. However, according to Virus Total, more than half (almost 55 percent) of antivirus companies have a success detecting Dridex.

Upon activation, Dridex contacts a number of C&C servers in order to send stolen information and it also writes the following Binary Large OBjects to the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{91179CCE-14A2-1D89-01D5-125992394513}\ShellFolder
 01D3A3627F1088934 “=
 hex:90,77,a9,7c,3c,f2,f0,e5,46,1c,c3,7b,fd,97,c1,19,aa,ce,1f,c5,2f,51,80,82,3a,7f,ec,
 26,a9,83,df,19,aa,d7,12,cd,2f,51,83,cc,6e,38,e3,09,ea,d9,44,13,5c,57,81,ce,ec,89,a1,
 9b,d1,dc,ab,58,05,37,8b,62,0c,50,0e,bd [..]

The data is then split into two data sets, both of which are XOR’d and contain configuration and web injects.

Dridex, is the direct successor of the online banking malware Cridex, was first detected back in November of 2014. Since then, it has evolved significantly with respect to its delivery methods, as analyzed by a recent FireEye report.

Above mentioned capabilities have made Dridex a significant player in the field of online banking malware. In June, SecurityScorecard, a company dedicated to helping organizations better understand, identify, and mitigate risks to their computer systems, released “The Current State of Banking Malware Q1/Q2 2015.” The report identified 55 malware families, accounting for a total of 11,952 infections at entities in different industries, and found that Dridex recorded the highest number of infections in the manufacturing industry (27 percent of attacks).

 

We  recommend to never download email attachments from suspicious emails and active two-factor authentication on your online banking accounts whenever possible.

For more information on how you can protect you financial data against Dridex and other threats, please read our small guide about best virus protection.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.