Dridex targeting Swiss Internet Users

Published on 2016-07-08 12:35:00 UTC by GovCERT.ch (permalink)
Last updated on 2016-07-08 11:59:13 UTC

In the past weeks, we have seen a rise of malicious Microsoft office documents that are being spammed out to Swiss internet users with the aim to infect them with a malicious software (malware) called Dridex.

Dridex is an ebanking Trojan which is already around for some time now. The attackers are operating various botnets with Dridex infected computers. While most of these botnets do have a strong focus on financial institutions from abroad (such as US or UK), one particular botnet is also targeting financial institutions in Switzerland.

These days, Dridex is being distributed via malicious Microsoft office files, for example Word documents (.docx). The attackers have weaponized these documents with a malicious macro. The purpose of this macro is to download additional code (in this case Dridex) from a compromised website, once the office document is being opened and the macro executed. Unless most of the spam campaigns that are hitting our spam traps these days, the spam campaigns that are distributing Dridex do not originate from a spam botnet, but rather from compromised email accounts. Therefore the attackers manage to bypass many spam filters and hence ensure that the email gets delivered to the recipient.

The Dridex spam campaign we have seen yesterday has been sent from compromised t-online.de email accounts, but also from other email service providers:

Received: from mailout09.t-online.de (mailout09.t-online.de [194.25.134.84])
(using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN
"mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by
X (Y) with ESMTPS id X for ; Thu, 7 Jul 2016 X
Received: from fwd10.aul.t-online.de (fwd10.aul.t-online.de [172.20.26.152])
by mailout09.t-online.de (Postfix) with SMTP id X for ; Thu, 7 Jul 2016 X
Received: from [127.0.0.1] (Z@[5.141.50.9]) by fwd10.t-online.de with TLSv1:DHE-RSA-AES256-SHA encrypted) esmtp id X; Thu, 7 Jul 2016 X
Message-ID:
Date: Thu, 7 Jul 2016 X
From: X
Subject: firstname.lastname ; Aufforderung zur Bezahlung von Rechnung #EU932451 von X

If we can trust the email header, the email has been sent through t-online by a broadband IP address in Russia (5.141.50.9 - OJSC Rostelecom, Russia). The email subject varies:

emailaddress: Offene Rechnung ist verfügbar (# )
emailaddress, Offene Faktur ist überfällig (# 17285838)
emailaddress, Offene Warenrechnung ist überfällig (ID 09608490)
emailaddress - Aufforderung zur Begleichung von Rechnung #J007631 von XYZ
emailaddress - Aufforderung zur Begleichung von Ausgangsrechnung #EU985390 von XYZ
emailaddress : Aufforderung zur Bezahlung von Rechnung #W738296 von XYZ
emailaddress - info, Die Fälligkeit Ihrer Rechnung 1879590 für XYZ
emailaddress partner: Ihre Abrechnung ist überfällig (# 15238847)

The spam email look like this, but may vary:

Dridex spam sample
Dridex spam sample (click to enlarge)

The attachment name varies and depends on the name of the recipient. Once the malicious office document is opened and the macros executed, Dridex payload will be downloaded from a compromised website.

To prevent becoming a victim of Dridex or other malware that is being distributed via malicious office documents, we recommend the following actions:

For private users:

  • Be careful when receiving emails from strangers or suspect invoices via email. In case of doubt, call the sender or contact him via email to verify the purpose of the email.
  • Never execute macros in office documents you have received via email, even when the sender asks you to do so. Macros may harm your computer!
  • Always keep your Antivirus software up to date. If you use a non-free Antivirus, make sure that your Antivirus is licensed and if not, renew it or switch to a free Antivirus software to receive full protection. Otherwise the virus protection will expire and you will no longer be protected against threats.
  • Regularly make a backup of your data. The backup should be stored offline, i.e. on an external medium such as an external hard disk. Thus make sure that the medium where the backup is saved is disconnected from the computer after the backup procedure is complete.

For companies:

  • For payments or wire transfer issued via ebanking, make use of collective contracts. By using collective contacts, every wire transfer need to be signed an authenticated by a second ebanking contract / login. Ask your bank about the use of collective ebanking contracts.
  • Use a dedicated computer for ebanking (no surfing in the internet , email etc).
  • Block the receipt of dangerous email attachments on your email gateway. These include among others:

  • .js (JavaScript)
    .jar (Java)
    .bat (Batch file)
    .exe (Windows executable)
    .cpl (Control Panel)
    .scr (Screensaver)
    .com (COM file)
    .pif (Program Information File)
    .vbs (Visual Basic Script)
    .ps1 (Windows PowerShell)

  • Make sure that such dangerous email attachments are also blocked, if they are sent to recipients in your company in archive files such as ZIP, RAR or even in encrypted archive files (e.g. in a password-protected ZIP file).
  • In addition, all email attachments containing macros (e.g. Word, Excel or PowerPoint attachments which contain macros) should be blocked on the email gateway as well.
  • You can obtain additional protection against malware for your IT infrastructure by using the Windows AppLocker . By using the Windows AppLocker, you can specify which programs can be run on the computers in your company.

Indicator of Compromise (IOCs)

Dridex payload delivery URLs (fetched by the malicious documents that are being spammed out):

http://thereputationco.com/office.bin
http://shaynarae.com/winword.dat

Dridex payload (malware samples):

winword.dat (MD5 2eaf243bad4b1c22089e7654524f0e5a)
office.bin (MD5 66e9ff85c9361127cd4b873d48008c9b)

Initial Dridex botnet C&C nodes (compromised servers):

70.32.97.158:13443
51.255.69.127:13443
23.229.54.99:134436

Additional Dridex botnet C&C nodes (compromised servers) - via Dridex configuration file:

222.255.121.202:443
93.174.126.37:8443
197.96.139.253:443
129.194.100.206:8443
80.44.193.206:8443
129.194.98.250:8443
178.196.145.13:8443
129.194.100.246:8443
81.133.39.123:8443
46.140.107.250:8443
94.67.72.1:8443
129.194.42.189:8443
73.72.208.195:8443
195.24.93.41:8443
101.187.28.8:8443
68.200.154.229:8443

Dridex redirect / webinject server (compromised server):

https://188.165.206.121:12443/2/
https://62.76.189.130/get-dbYd81hd83H/
https://160.193.162.145:41443/imprisonment
https://160.193.162.145:41443/encourage
Share on Twitter Share on Facebook

Back to top