Created 2021-03-22-IOCs-from-Dridex-infection.txt

2021-03-22-IOCs-from-Dridex-infection.txt

@@ -0,0 +1,125 @@
+2021-03-22 (MONDAY) - MALICIOUS SPAM (MALSPAM) PUSHING DRIDEX MALWARE:
+
+REFERENCE:
+
+- https://twitter.com/Unit42_Intel/status/1374092293276381187
+
+DATA FROM 10 EXAMPLES OF EMAILS PUSHING DRIDEX:
+
+MAIL SERVERS:
+
+- Received: from ([39.40.31[.]252])
+- Received: from ([41.227.25[.]145])
+- Received: from ([79.42.215[.]190])
+- Received: from ([87.16.89[.]165])
+- Received: from ([93.42.7[.]100])
+- Received: from ([95.249.117[.]48])
+- Received: from ([114.5.213[.]108])
+- Received: from ([213.60.190[.]210])
+- Received: from host-217-58-220-34.business.telecomitalia.it ([217.58.220[.]34])
+- Received: from it ([37.182.240[.]151])
+
+SPOOFED SENDERS:
+
+- From: Credit and Collections Dept <[email protected]>
+- From: Credit and Collections Dept <[email protected]>
+- From: Credit and Collections Dept <[email protected]>
+- From: msc.com <[email protected]>
+- From: msc.com <[email protected]>
+- From: msc.com <[email protected]>
+- From: msc.com <[email protected]>
+- From: msc.com <[email protected]>
+- From: MSC Inc. <[email protected]>
+- From: MSC MEDITERRANEAN SHIPPING COMPANY (USA) INC. <[email protected]>
+
+SUBJECT LINES:
+
+- Subject: Freight overdue invoice Of 03_22_2021
+- Subject: Freight Payment Notification Of 03_22_2021
+- Subject: Ocean Freight overdue invoice Of 03_22_2021
+- Subject: Ocean Freight Payment Notice Of 03_22_2021
+- Subject: Ocean Freight Payment Notification Of 03_22_2021
+- Subject: Ocean Freight Statement Of Outstanding As Of 03_22_2021
+
+ATTACHED EXCEL SPREADSHEET:
+
+- SHA256 hash: 3f4632f072dca5d71e765dcdb19f411d30a2609850ecd7234e550da2475cd925
+- File size: 114,635 bytes
+- File name: printouts of outstanding as of_03_22_2021.xlsm
+- File name: printouts_of_outstanding as of_03_22_2021.xlsm
+- File name: Statement of Account as of_03_22_2021.xlsm
+- File name: Statement as of_03_22_2021.xlsm
+- File description: Excel file with macro for Dridex malware
+
+AT LEAST 31 URLS COULD GENERATED BY THE EXCEL MACRO FOR THE INITIAL MALWARE DLL:
+
+- hxxps://absupplie[s].co[.]uk/et4fcy.tar
+- hxxps://accounts.thesmarttechhub[.]com/fxg8ani8z.rar
+- hxxps://agmcarpetcare[.]co[.]uk/vrwudng.rar
+- hxxps://artedibujoyarquitectura[.]com/hjvt66w4y.zip
+- hxxps://ayamallah[.]com/ct8dz98ef.rar
+- hxxps://bardi[.]tv/in28z1xt.tar
+- hxxps://buenavista[.]co/zw7616jjd.zip
+- hxxps://calllocalattorneys[.]com/cos1lbi0.zip
+- hxxps://codernet[.]net/dlf3se.tar
+- hxxps://controladoradeplagasmm[.]com/g9h833opc.rar
+- hxxps://corporativos[.]com[.]co/w074xgot.zip
+- hxxps://ebruyatkin[.]com/bbi71whxu.zip
+- hxxps://filmotainment[.]com/__MACOSX/filmotainment.com/images/slider//ft58oohsv.zip
+- hxxps://foodie[.]digital/xri6vo4t2.tar
+- hxxps://jewsjuice[.]com/fjmv5r5vu.rar
+- hxxps://kevinjewelry[.]com[.]co/hya2l4.tar
+- hxxps://ladylabonde[.]com/aiqsuyk.tar
+- hxxps://litroxlitro[.]com/nnmj07n.tar
+- hxxps://lp.tecnimasdecolombia[.]com[.]co/slvsw1d.zip
+- hxxps://medevlb[.]org/w1egtdcq4.zip
+- hxxps://pagos.krayem[.]com[.]mx/ctxmc2.zip
+- hxxps://poppycharity[.]com/squhy1.rar
+- hxxps://rawjee[.]com/eu603if57.zip
+- hxxps://safety.nanotechproautocare[.]com/xvi3ck.tar
+- hxxps://syedpro.dezinetimes[.]com/kdytpp.zip
+- hxxps://tintasylaser[.].com/ikz76v8l3.tar
+- hxxps://vidmattic[.]com/nzglgqfy.tar
+- hxxps://www.chealablilitycarinsurances[.]com/jxoteqcn.tar
+- hxxps://www.connectbyte[.]com[.]br/p8s3xau.zip
+- hxxps://xmp.myracingaccounts[.]com/i7wgg83y.rar
+
+ASSOCIATED MALWARE
+
+- SHA256 hash: 38cea6b8da276da415ba1f4127eb6db81f914e27335da458a540cd2db671886f
+- File size: 354,304 bytes
+- File location: hxxps://xmp.myracingaccounts[.]com/i7wgg83y.rar
+- File location: C:\Users\[username]\AppData\Local\Temp\kkfofius.dll 
+- File description: Example of initial DLL file retreived by Excel macro
+- Run method: regsvr32.exe [filename]
+
+- SHA256 hash: 6ccce784a050c40fb2ff43b7105a0bb5d0352751820b8ecc2e5ae13d25deae43
+- File size: 671,744 bytes
+- File location: C:\Users\[username]\AppData\Roaming\Internet Explorer\Quick Launch\Uer Pinned\TaskBar\8BZQKUfNh\XmlLite.dll 
+- File description: Example of 64-bit DLL for Dridex (1 of 3)
+- Run method: Run by copy of legitimate file named DeviceEnroller.exe located in the same directory
+- Note: Made persistent through Windows registry update
+
+- SHA256 hash: 1a8d29247416bb4d8936435d0bcd94d769aae9631b840f05f0c2329414f855f7
+- File size: 671,744 bytes
+- File location: C:\Users\[username]\AppData\Roaming\Microsoft\Protect\4RwSPPz\WTSAPI32.dll 
+- File description: Example of 64-bit DLL for Dridex (2 of 3)
+- Run method: Run by copy of legitimate file named RDVGHelper.exe located in the same directory
+- Note: Made persistent through scheduled task
+
+- SHA256 hash: eb90b1dacc3dfefde35745ea1710b90f5f76a84fa4d94c66883ccc8918ecc977
+- File size: 671,744 bytes
+- File location: C:\Users\[username]\AppData\Roaming\Mozilla\Extensions\1NyedFiiw\WTSAPI32.dll 
+- File description: Example of 64-bit DLL for Dridex (3 of 3)
+- Run method: Run by copy of legitimate file named MDMAppInstaller.exe located in the same directory
+- Note: Made persistent through Windows shortcut in startup menu folder
+
+NOTE:
+
+- SHA256 hashes and file sizes for the 64-bit DLL files for Dridex are unique for each infection, and these binaries are occasionally updated during
+  an infection. A Dridex-infected host could have dozens of 64-bit malware DLL files in different locations, if it's been infected for several days.
+
+DRIDEX C2 TRAFFIC FROM AN INFECTION RUN IN A LAB ENVIRONMENT:
+
+- 210.65.244[.]179 port 443 - HTTPS traffic
+- 5.34.179[.]66 port 443 - HTTPS traffic