\n

Introduction

\n

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.

\n

By investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.

\n

In this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack.

\n

 

\n

The Infection Chain

\n

\"\"

\n

The infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject “Military Financing Program”:

\n

Email subject: military financing program

\n

File name: “Military Financing.xlsm”

\n

SHA-256:
\nefe51c2453821310c7a34dca30540
\n21d0f6d453b7133c381d75e3140901efd12

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

Fig 1: Decoy document

\n

 

\n

The well-crafted document bears the logo of the U.S Department of State, and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.

\n

\"\"

\n

Fig 2: The infection chain

\n

 

\n

Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:

\n
    \n
  1. A legitimate AutoHotkeyU32.exe program.
  2. \n
  3. AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
  4. \n
\n\n

The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.

\n

 

\n

Modified functionality includes:

\n\n

 

\n

\"\"

\n

Fig 3: MoveFileW function hook: adds payload “execute” and “inject” functionality.

\n

 

\n

The following is a demonstration of how it actually works:

\n

\"\"

\n

Fig 4: Remote payload execution demo

\n

 

\n

 

\n

Victims

\n

As described in the infection flow, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.

\n

The directory which those screenshots were uploaded to was left exposed, and could have been viewed by browsing to the specific URL:

\n

\"\"

\n

Fig 5: Open directory with victims’ screenshots

\n

 

\n

However, those screenshot files were deleted periodically from the server, and eventually the “open directory” view was disabled.

\n

Until that time, we were able to ascertain some of the victims of these attacks, as most of the screenshots included identifying information.

\n

From the targets we have observed in our own telemetry, as well as the information we have gathered from the server, we were able to compose a partial list of countries, where officials were targeted:

\n\n

It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world.

\n

Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.

\n

 

\n

Previous Campaigns

\n

While all campaigns observed from this threat actor utilized a trojanized version of TeamViewer, the features of the malicious DLL have changed, and the first stage of the infection has evolved over time.

\n

Delivery

\n

The initial infection vector used by the threat actor also changed over time, during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey, which displayed a decoy image to the user.

\n

For example, the self-extracting archive “Положение о прокуратуре города(приказом прокурора края)_25.12.2018.DOC.exe” (translated into “Regulations on the city prosecutor’s office (by order of the regional prosecutor)_25.12.2018.DOC.exe”) displays the following image:

\n


\n\"\"

\n

Fig 6: SFX archive decoy image

\n

 

\n

This image shows officials from Kazakhstan, and was taken from the website of Kazakhstan’s Ministry of Foreign Affairs. The original name of the executable and the decoy content it displays seem to suggest that it was targeting Russian speaking victims.

\n

There were also other instances in which related campaigns were after Russian speakers, one of the weaponized Excel documents had instructions on how to enable content for the macros to run in fluent Russian:

\n

\"\"

\n

Fig 7: Russian decoy document

\n

 

\n

SHA-256: 67d70754c13f4ae3832a5d655ff8ec2c0fb3caa3e50ac9e61ffb1557ef35d6ee

\n

Afterwards, it would display finance-related Russian content:

\n

\"\"

\n

Fig 8: Russian decoy document – after macros are enabled

\n

 

\n

Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers, the recurring financial and political themes that they use highlight the attacker’s interest in the financial world once more.

\n

 

\n

The Payload

\n

Throughout the campaigns multiple changes to the functionality of the malicious TeamViewer DLL, were introduced. Below are the feature highlights of each version:

\n

First Variant (?-2018)

\n\n

 

\n

Second Variant (2018)

\n\n

\"\"Fig 9: Help commands found in malicious DLL

\n

 

\n\n

 

\n

Third Variant – as observed in the current campaign (2019)

\n\n

 

\n

Attribution

\n

Although in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.

\n

By following the trail from the previous campaigns we were able to find a `CyberForum[.]ru` user that goes by the name “EvaPiks”.

\n

In multiple instances, the user would suggest, or be advised by other users to use, some of the techniques we witnessed throughout the campaigns.

\n

The following are translated snippets from some of the threads in the forum:

\n

\"\"

\n

Fig 10: EvaPiks – suggested macro code

\n

 

\n

The macro code suggested by EvaPiks in the above thread was actually used in the latest attack, and some of the variable names such as “hextext” were not even changed.

\n

In the following screenshot, we see EvaPiks suggesting a Delphi code snippet that “works great”:

\n

\"\"

\n

Fig 11: EvaPiks – suggested PHP code

\n

 

\n

\"\"

\n

Fig 12: Panel URL found in DLL code

\n

 

\n

In addition to the similar Delphi usage, the URL mentioned in the forum `(newpanel_gate/gate.php)` was used in one of the attacks.

\n

Back in 2017, EvaPiks was the one seeking advice on the forum, with questions about API function call interception:

\n

 

\n

\"\"

\n

Fig 13: EvaPiks – seeking Delphi hooking advise on the forums

\n

 

\n

\"\"

\n

Fig 14: Hooks found in DLL code

\n

 

\n

The same hooking technique of `CreateMutexA` and `SetWindowTextW` functions was utilized in the sample we have observed as well.

\n

An additional screenshot from the forum reveals how EvaPiks is experimenting with new features, some of which were integrated into the malicious DLLs:

\n

\"\"

\n

Fig 15: EvaPiks – development PC screenshot from the forums

\n

 

\n

Besides `CyberForum[.]ru`, we also found out that this avatar was active on an illegal Russian carding forum, strengthening the notion that their forum activity is not for “educational purposes” only:

\n

\"\"

\n

Fig 16: EvaPiks – complaining about a fellow user on a carding forum

\n

 

\n

The Attack Infrastructure

\n

At one point or another, all the samples observed utilized the same web hosting company: HostKey, except some of the samples from the first variant. [see appendix B for a list of URLs]

\n

Additionally, we observed the following login panels, on the C&C servers utilized by the malicious DLLs:

\n

\"\"

\n

Fig 17: “Cyber Industries” login panel hosted on 193.109.69[.]5

\n

 

\n

\"\"

\n

Fig 18: login panel hosted on 146.0.72[.]180

\n

 

\n

Summary

\n

On the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience.

\n

On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.

\n

The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear.

\n

However, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated.

\n

———————————————————————————————————————————————————————————————————————-

\n

Check Point’s SandBlast

\n

The malware used in this attack was caught using Check Point’s Threat Emulation and Threat Extraction.

\n

Threat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver the best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the Check Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks. The Threat Extraction capability removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow.

\n

 

\n

IOCs

\n

DLLs

\n

`013e87b874477fcad54ada4fa0a274a2
\n799AB035023B655506C0D565996579B5
\ne1167cb7f3735d4edec5f7219cea64ef
\n6cc0218d2b93a243721b088f177d8e8f
\naad0d93a570e6230f843dcdf20041e1e
\n1e741ebc08af09edc69f017e170b9852
\nc6ae889f3bee42cc19a728ba66fa3d99
\n1675cdec4c0ff49993a1fcbdfad85e56
\n72de32fa52cc2fab2b0584c26657820f
\n44038b936667f6ce2333af80086f877f`

\n

Documents

\n

`4acf624ad87609d476180ecc4c96c355
\n4dbe9dbfb53438d9ce410535355cd973`

\n

C&Cs

\n

`1c-ru[.]net/check/license
\nintersys32[.]com/3307/
\n146.0.72[.]180/3307/
\n146.0.72[.]180/newcpanel_gate/gate.php
\n185.70.186[.]145/gate.php
\n185.70.186[.]145/index.php
\n193.109.69[.]5/3307/gate.php
\n193.109.69[.]5/9125/gate.php`

\n

 

\n

Appendix A: Yara Rule

\n
`rule \"TeamViwer_backdoor\"\n{\n\nmeta:\ndate = \"2019-04-14\"\ndescription = \"Detects malicious TeamViewer DLLs\"\n\nstrings:\n\n// PostMessageW hook function\n$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}\n\ncondition:\nuint16(0) == 0x5a4d and $x1\n}`\n
\n

 

\n

Appendix B: Online services of interest

\n

Banks

\n

`bankofamerica.com,pacwestbancorp.com,alipay.com,cbbank.com,firstrepublic.com,chase.com
\ncitibank.com,bankamerica.com,wellsfargo.com,citicorp.com,pncbank.com,us.hsbc.com,bnymellon.com
\nusbank.com,suntrust.com,statestreet.com,capitalone.com,bbt.com,tdbank.com,rbs.com,regions.com
\n53.com,ingdirect.com,keybank.com,ntrs.com,www4.bmo.com,usa.bnpparibas.com,mufg.jp,aibgroup.com
\ncomerica.com,zionsbank.com,mibank.com,bbvabancomerusa.com,huntington.com,bank.etrade.com,synovus.com
\nbancopopular.com,navyfcu.org,schwab.com,rbcbankusa.com,colonialbank.com,hudsoncitysavingsbank.com,db.com
\npeoples.com,ncsecu.org,associatedbank.com,bankofoklahoma.com,mynycb.com,firsthorizon.com,firstcitizens.com
\nastoriafederal.com,firstbankpr.com,commercebank.com,cnb.com,websterbank.com,fbopcorporation.com
\nfrostbank.com,guarantygroup.com,amtrust.com,nypbt.com,wbpr.com,fult.com,penfed.org,tcfbank.com,lehman.com
\nbancorpsouthonline.com,valleynationalbank.com,thesouthgroup.com,whitneybank.com,susquehanna.net,citizensonline.com
\nucbh.com,raymondjames.com,firstbanks.com,wilmingtontrust.com,bankunited.com,thirdfederal.com,wintrustfinancial.com
\nsterlingsavingsbank.com,boh.com,arvest.com,eastwestbank.com,efirstbank.com,theprivatebank.com,flagstar.com
\nbecu.org,umb.com,firstmerit.com,corusbank.com,svb.com,prosperitybanktx.com,washingtonfederal.com
\nucbi.com,metlife.com,ibc.com,cathaybank.com,trustmark.com,centralbancompany.com,umpquabank.com
\npcbancorp.com,schoolsfirstfcu.org,mbfinancial.com,natpennbank.com,fnbcorporation.com,fnfg.com,golden1.com
\nhancockbank.com,firstcitizensonline.com,ubsi-wv.com,firstmidwest.com,oldnational.com,ottobremer.org
\nfirstinterstatebank.com,northwestsavingsbank.com,easternbank.com,suncoastfcu.org,santander.com
\neverbank.com,bostonprivate.com,firstfedca.com,english.leumi.co.il,aacreditunion.org,rabobank.com
\nparknationalbank.com,provbank.com,alliantcreditunion.org,capitolbancorp.com,newalliancebank.com
\njohnsonbank.com,doralbank.com,fcfbank.com,pinnaclebancorp.net,providentnj.com,oceanbank.com
\nssfcu.org,capfed.com,iberiabank.com,sdccu.com,americafirst.com,hncbank.com,bfcfinancial.com
\namcore.com,nbtbank.com,centralpacificbank.com,banksterling.com,bannerbank.com,firstmerchants.com,communitybankna.com
\nhsbc.com,rbs.co.uk,bankofinternet.com,ally.com,bankofindia.co.in,boi.com.sg,unionbankofindia.co.in,bankofindia.uk.com
\nunionbankonline.co.in,hdfcbank.com,axisbank.com,icicibank.com,paypal.com,pnm.com,wmtransfer.com,skrill.com,neteller.com
\npayeer.com,westernunion.com,payoneer.com,capitalone.com,moneygram.com,payza.com`

\n

 

\n

Crypto Markets

\n

`blockchain.info,cryptonator.com,bitpay.com,bitcoinpay.com,binance.com,bitfinex.com,okex.com
\nhuobi.pro,bitflyer.jp,bitstamp.net,kraken.com,zb.com,upbit.com,bithumb.com,bittrex.com,bitflyer.jp
\netherdelta.com,hitbtc.com,poloniex.com,coinone.co.kr,wex.nz,gate.io,exmo.com,exmo.me,yobit.net
\nkorbit.co.kr,kucoin.com,livecoin.net,cex.io,c-cex.com,localbitcoins.net,localbitcoins.com,luno.com
\nallcoin.com,anxpro.com,big.one,mercatox.com,therocktrading.com,okcoin.com,bleutrade.com,exchange.btcc.com
\nbitkonan.com,coinbase.com,bitgo.com,greenaddress.it,strongcoin.com,xapo.com
\nelectrum.org,etherscan.io,myetherwallet.com,bitcoin.com`

\n

 

\n

Online Shops

\n

`ebay,amazon,wish.com,aliexpress,flipkart.com,rakuten.com,walmart.com
\ntarget.com,bestbuy.com,banggood.com,tinydeal.com,dx.com,zalando,jd.com
\njd.id,gearbest.com,lightinthebox.com,miniinthebox.co`

\n

 

\n

 

\n

 

\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/","tags":[],"score":0.008250968530774117,"topStoryDate":null},{"id":"RS-24476","type":"Research_Publications","name":"Stopping Serial Killer: Catching the Next Strike","author":null,"date":1609783711000,"description":"Brief When we look at a prevalent malware family, we give credit to its authors regarding the established malicious infrastructure. New malicious activity is flowing smoothly, command-and-control servers appear, everything works like Swiss watch. Are there any weak points in such a construction? To answer this question we may think about a race car. It’s… Click to Read More","content":"\n

Brief

\n\n\n\n

When we look at a prevalent malware family, we give credit to its authors regarding the established malicious infrastructure. New malicious activity is flowing smoothly, command-and-control servers appear, everything works like Swiss watch. Are there any weak points in such a construction?

\n\n\n\n

To answer this question we may think about a race car. It’s a masterpiece crafted for maximum speed, however, the more speed it has, the less chances it has to make a sharp turn. Malware infrastructure has the same weakness of inertia. When every joint works fine, you should have a strong reason to change something in it.

\n\n\n\n

We can use it for our benefit just like movie detectives do. Take a city map, mark the spots of previous crimes ─ and you will likely understand the pattern and even get a probable place of next crime activity, it will likely follow the determined template. In this research we show how to transform these actions to the world of malware. We take one of the most prevalent contemporary botnets called Dridex, mark its previous crime scenes, build the map and draw conclusions helping us to catch the next strike. We show evidence of success of such an approach measured in strict numbers and explain how to use this idea in other real world cases.

\n\n\n\n

Introduction

\n\n\n\n

The Dridex Banking Trojan first appeared in 2014 and is still one of the most prevalent malware families. In March 2020, Dridex topped the list of most wanted malware.

\n\n\n\n

Dridex was created by a cyber-crime group called “Evil Corp” which has caused an estimated damage of $100 million to the banking system worldwide. A lot of research has been issued already covering different aspects of the malware details and how the cyber-crime group functions.

\n\n\n\n

In this article we provide a summary of key details known about Dridex to date. We explore pre-history of Dridex development, give an overview and show its key technical features and methods of spreading. We explain how we can intercept this malware at the earliest stages of the infection chain. We also provide graphs that show evidence of the success of our approach and how our customers are protected against this malware.

\n\n\n\n

Background

\n\n\n\n

Dridex has a famous lineage. Let’s take a step back in history to find out more about the time period when its earliest version appeared.

\n\n\n\n

The key names in this story:

\n\n\n\n\n\n\n\n

Pre-Dridex era – It all starts with ZeuS

\n\n\n\n

Zeus is a Trojan Horse malware. Its capabilities include turning an infected machine into a botnet node, stealing banking credentials, downloading and executing separate malicious modules. The members of cyber crime group attempted to steal around 220 million USD worldwide utilizing ZeuS according to FBI investigation.

\n\n\n\n

The timeline below shows key points in ZeuS evolution:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 1 – Chronology of ZeuS evolution.

\n\n\n\n

When ZeuS source code was leaked in 2011, various branches of this malware started to appear. It was very popular malware and gave rise to lots of different malware branches. ZeuS versions may be in a ZeuS online museum. At the time of this writing, ZeuS was associated with 29 different malware families, featuring around 490 versions in total.

\n\n\n\n

In May 2014, the FBI issued a bulletin with description of Evgeniy Bogachev and the promised reward of 3 million USD “for information leading to the arrest and/or conviction.”

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 2 – Description of Evgeniy Bogachev on the FBI site.

\n\n\n\n

Dridex era

\n\n\n\n

After the botnets of direct ZeuS successors were taken down, Dridex’s time came. This malware is a result of Bugat evolution (which appeared in 2010). Bugat v5 was recognized as Dridex in 2014.

\n\n\n\n

More names appear on the stage at this time.

\n\n\n\n\n\n\n\n

More names connected to Dridex can be found in US treasury sanctions statement.

\n\n\n\n

The timeline below shows some milestones in Dridex evolution:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 3 – Chronology of Dridex evolution.

\n\n\n\n

Dridex in turn gave rise to a number of ransomwares starting with Bitpaymer in 2017. This branch continued with DoppelPaymer, which was developed in 2019, and WastedLocker, which was developed in 2020.

\n\n\n\n

Recent past

\n\n\n\n

In 2019, Dridex had at least 14 active botnets, some of which had already been  spotted previously, and others newly developed. Botnets are differentiated by their ID numbers. These are among the most active at this time: 10111, 10222, 10444, 40200, 40300.

\n\n\n\n

At the end of 2019, the FBI issued a bulletin with a description of the author of Dridex and a promised reward of 5 million USD (compared with 3 million USD previously for E. Bogachev).

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 4 – Description of Maksim Yakubets on the FBI site.

\n\n\n\n

There is also evidence of Maksim’s luxurious lifestyle, undoubtedly due to income from his malicious activities.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 5 ­– Cars, girls, money; the luxurious lifestyle of Maksim Yakubets.

\n\n\n\n

To date, Maksim Yakubets has not been apprehended by law enforcement.

\n\n\n\n

As mentioned previously, in 2020, Dridex topped the lists of the most prevalent malware families in the world.

\n\n\n\n

Infection chain

\n\n\n\n

Before we start the analysis of Dridex samples themselves, we want to understand the infrastructure behind the malware. How is it delivered? What are the targets? What is the initial detection rate of supporting files? We will find the answers to all of these questions below.

\n\n\n\n

Flow

\n\n\n\n

When the operators want to spread Dridex, they use established spambots from different cyber-crime groups to send malicious documents attached to handily crafted e-mails. At different times of the Dridex lifecycle, Necurs, Cutwail and Andromeda botnets have all been involved in spreading Dridex.

\n\n\n\n

When a user downloads and opens such a document (it may be Word or Excel), the embedded macros are launched with the aim of downloading and executing the Dridex payload.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure ­6 – Dridex infection chain execution flow.

\n\n\n\n

Targets

\n\n\n\n

Dridex targets different high-profile entities from various parts of the world:

\n\n\n\n\n\n\n\n

Lures

\n\n\n\n

To increase the successful rate at which Dridex is spread, malicious actors disguise their spam e-mails to look like legitimate ones. We can name examples of UPS, FedEx and DHL as companies whose logos and mailing style are used as bait in such e-mails.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 7 – Examples of lures.

\n\n\n\n

When the victim clicks the link, either the archive with the malicious document or the malicious document itself is opened.

\n\n\n\n

Initial detection rate

\n\n\n\n

When first seen in the wild, Dridex delivery files show a very low detection rate. In the screenshot below we see the initial detection rate of the Excel document which delivers Dridex:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 8 – Initial detection rate of the Dridex delivery file.

\n\n\n\n

The same is true for other delivery files.

\n\n\n\n

Loader and Payload

\n\n\n\n

The Dridex sample consists of the loader and the payload. We discuss key points of each part below.

\n\n\n\n

Anti-debug technique

\n\n\n\n

The Dridex loader utilizes the OutputDebugStringW function to make malware analysis more difficult. Different loaders produce different outputs (with the “Installing…” string being very popular) but the idea is the same everywhere: making a long loop that contains a lot of meaningless debug messages. In the figure below, we see the example of such a loop with an iteration of around 200 million:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 9 – Loop with 0xBEBBE7C (around 200 million) iterations calling OutputDebugStringW.

\n\n\n\n

The output looks like this in the log:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 10 – Dridex debug messages that overwhelm the analysis log.

\n\n\n\n

Obfuscation

\n\n\n\n

The payload is heavily obfuscated; almost no function is called directly. Call resolutions are performed with the help of hash values identifying the library and the function it contains. An example of such a resolution is shown in the screenshot below:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 11 – Example of the call resolution in the Dridex payload.

\n\n\n\n

All the functions important for key Dridex’ tasks are called this way.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 12 – Example of resolved calls to Internet functions.

\n\n\n\n

We used the Labeless tool to resolve obfuscated function calls.

\n\n\n\n

Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample.

\n\n\n\n

Configuration

\n\n\n\n

The main point of interest inside the payload is its configuration. It contains the following important details:

\n\n\n\n\n\n\n\n

An example of the configuration:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 13 – Example of the Dridex configuration inside the payload.

\n\n\n\n

The bot ID in this example is 12333. The Command and Control servers are:

\n\n\n\n\n\n\n\n

Network activity

\n\n\n\n

Dridex sends POST requests to the servers from the configuration to get further commands, waiting for 200 OK responses. Please note that these servers are not real C&C servers but rather proxies for connecting to the real ones.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 14 – The Dridex botnet infrastructure.

\n\n\n\n

The information which is sent by the malware to the C&C servers contains the following data:

\n\n\n\n\n\n\n\n

This data is encrypted with the RC4 algorithm, the key for which is stored among encrypted strings inside the malware.

\n\n\n\n

There are at least 6 different types of request; among them are the following ones:

\n\n\n\n\n\n\n\n

Putting IOCs together

\n\n\n\n

The earlier the infection is caught, the better the chances of mitigation. To catch the infection as quickly as possible while spending the minimum amount of resources, we want to focus on the initial delivery stage.

\n\n\n\n

However, detection is only one aspect. We may confidently say that something is malicious, but we also want to classify the threat. To do so, we have to be sure that this particular malware is indeed Dridex.

\n\n\n\n

Let’s take a look at the Dridex infection chain again and determine the different stages which we can use for its detection and identification:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 15 – Different stages of Dridex detection.

\n\n\n\n

At different stages of the Dridex infection, we can use the following indicators for its detection.

\n\n\n\n\n\n\n\n

Why are so many factors important?

\n\n\n\n

We have seen a correlation between infrastructures and indicators of Dridex and other prevalent malware families such as Emotet and Ursnif. Malicious documents share common indicators when used for the delivery of all the malware mentioned above. Some C2 servers – or to be precise, proxy servers – are used both by Dridex and Emotet, though ports and connection types are different.

\n\n\n\n

That’s why we have to analyze a lot of details before we draw a conclusion of what malware we’re dealing with. The more unique factors related to a particular botnet we have, the easier it is to say if another attack has the same patterns.

\n\n\n\n

The ideal way to classify malware is of course getting and analyzing the final payload: if it’s Dridex, then everything that was launched before it is classified as Dridex as well. However, it may take some time (sometimes a significant amount after the initial malicious document is obtained) before the result is known. We can do the classification faster, with high confidence, by analyzing all the indicators we get at the earliest stages of infection chain.

\n\n\n\n

IP addresses to draw a map

\n\n\n\n

Another interesting note is utilizing the same network for downloading Dridex samples. We analyzed domains used for this purpose, resolved their IPs and discovered that quite a few of them reside in the same network 84.38.180.0/22 with less than 1024 addresses available in total. Network belongs to Russian ASN Selectel that rarely takes down the malicious content or spam.

\n\n\n\n

We saw the following IP addresses linked to Dridex domains in the 84.38.180.0/22 network (and other networks within the same ASN). Dates show the first time the Dridex domain pointed to the corresponding IPs:

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
IPsDateDomains
84.38.182.248May 10rokadorc.com
nrokadorc.com
84.38.183.77June 17juneusdousigninc.com
usdousigninc.com
84.38.182.236
84.38.183.213
June 22marutoba.com
terrasimonad.com
enterassimonad.com
84.38.181.195June 28caranatrium.com
84.38.183.114
84.38.183.237
July 06menodlap.com
turendong.com
madustag.com
\n
\n\n\n\n

While this factor alone is not enough to identify Dridex, this is a good auxiliary detail to refer to when dealing with Dridex IOCs.

\n\n\n\n

Detection

\n\n\n\n

The graphs below show Dridex spikes on different dates when we caught the incoming threats at its earliest stages.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 16 – Dridex infection spike on June 29.

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 17 – Dridex infection spike between July 6 – July 8.

\n\n\n\n

It is crucial to be able to intercept Dridex infection as early as possible. In many cases, if the spam is not being sent for several days consecutively, like it was between July 6 and July 8, the botnet activity slows down the next day and we do not get as many IOC matches as during its spike. Given that new infections appear at around afternoon UTC+3, we have less than 12 hours to react to the incoming threat.

\n\n\n\n

Dridex development

\n\n\n\n

Since July 22 we haven’t observed any fresh Dridex spam samples. Dridex made a re-appearance on September 7, showing a massive increase in its activity spike for 2 consecutive days:

\n\n\n\n
\n
\"\"
\n
\n\n\n\n

Figure 18 – Recent September spike in Dridex activity.

\n\n\n\n

Dridex operators updated the 1st stage of Dridex execution: they have added more URLs from where payload may be downloaded – as opposed to the single URL in the earliest versions of malicious documents. Now their number may be as high as 50 within the single document.

\n\n\n\n

We’re constantly monitoring this botnet and detecting its payload at different stages of execution.

\n\n\n\n

We hope this publication provided useful insights on different variants and methods to deal with this threat. We also believe that these methods may be applied when encountering other threats as well.

\n

 

\n

As cyber attacks become increasingly evasive, more controls are added, making security more complicated and tedious to the point that user workflows are affected. Until now.

\n

Fueled by the Power of ThreatCloud, the Most Powerful Threat Intelligence and AI technologies  to prevent unknown cyber threats
SandBlast Network provides the best zero-day protection while reducing security overhead and ensuring business productivity.

\n

 

\n

Protection signatures

\n

Banker.Win.Dridex.A
Banker.Win.Dridex.B
Banker.Win.Dridex.С

\n

Banker.Win.Dridex.D

\n

Banker.Win.Dridex.E

\n

Banker.Win.Dridex.F

\n

Banker.Win.Dridex.gl.H

\n

Banker.Win.Dridex.J

\n

Banker.Win.Dridex.K

\n\n\n\n

IOCs

\n\n\n\n

Below we list some of the indicators linked to Dridex. Please note that the list is not full by any means.

\n\n\n\n

Domains:

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
rokadorc[.com
nrokadorc[.com
juneusdousigninc[.com
usdousigninc[.com
marutoba[.com
terrasimonad[.com
enterassimonad[.com
caranatrium[.com
menodlap[.com
turendong[.com
madustag[.com
fattnumdelordine[.com
armomaq[.com
caissefamilylaw[.com
secretpath[.xyz
\n
\n\n\n\n

IP addresses:

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
84[.38.181.195
84[.38.182.236
84[.38.182.248
84[.38.183.77
84[.38.183.114
84[.38.183.213
84[.38.183.237
\n
\n\n\n\n

Dridex 1st layer proxy C&C servers:

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
https://45.79.8.25[:443
https://185.201.9.197[:9443
https://217.160.78.166[:4664
https://108.175.9.22[:33443
https://51.38.124.206[:443/
https://207.180.230.218[:3389/
https://2.58.16.87[:8443/
https://45.177.120.36[:691/
https://52.114.132.73[:443
https://192.232.251.32[:443
https://162.144.41.190[:443
https://40.122.160.14[:443
https://67.213.75.205[:443
https://217.160.78.166[:4664
https://108.175.9.22[:33443
https://185.201.9.197[:9443
\n
\n\n\n\n

URLs:

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
https:[//discuss.ojowa.com/themes/wowonder/javascript/tinymce/js/dkfjgbji.gif
https:[//sjoeberg.nu/a/jdfggo.rar
https:[//greatstr.com/webadmin/djfhgeh.pdf
https:[//axalta.grupojenrab.mx/wp-admin/ssfisjgniwerg.pdf
https:[//bombshellshow.me/wp-content/jdfggo.rar
https:[//amaimaging.net/wp-content/rjkthgowertgoiwe.zip
https:[//pharmacy.binarybizz.com/vendor/njdfhgeroig.rar
https:[//construtorahabite.com.br/wpadmin/rjkthgowertgoiwe.zip
https:[//drinkangola.com/wp-content/plugins/wordpress-seo/config/composer/dkfjgbji.gif
https:[//mcciorar.iglesiamcci.cl/njdfhgeroig.rar
https:[//eduserve.sezibwa.com/images/njdfhgeroig.rar
https:[//idklearningcentre.com.ng/wp/wp-content/plugins/jetpack/3rd-party/dkfjgbji.gif
https:[//agencia.fal.cl/wp-includes/njdfhgeroig.rar
https:[//sweepegy.com/djfhgeh.pdf
https:[//tallermecanicoyllantera.grupojenrab.mx/wp-admin/rjkthgowertgoiwe.zip
https:[//neocuboarquitetura.com.br/viewer/ssfisjgniwerg.pdf
https:[//vyvanse.co/auth14/zxc.zip
https:[//minsann.se/NewFolder/ad/style/theme/upload/84348fh34hf.pdf
https:[//admin.grandoceanvilla.com/pug/includes/css/84348fh34hf.pdf
https:[//glowtank.in/js/ssfisjgniwerg.pdf
https:[//leandrokblo.com/wp-content/plugins/w3-total-cache/ini/apache_conf/dkfjgbji.gif
https:[//medszoo.in/jdfggo.rar
https:[//properties.igpublica.com.br/excelPo/rjkthgowertgoiwe.zip
https:[//coomiponal.com/simulador/zxc.zip
https:[//inkrites.com/wp-content/themes/zerif-lite/ti-prevdem/img/84348fh34hf.pdf
https:[//manogyam.com/storage/njdfhgeroig.rar
https:[//radiantmso.com/wp-content/plugins/smart-slider-3/library/media/dkfjgbji.gif
https:[//etsp.org.pk/uploads/jdfggo.rar
https:[//tmpartners-gh.com/djfhgeh.pdf
https:[//heraldfashion.store/wp-admin/zxc.zip
https:[//danojowacollection.com/djfhgeh.pdf
https:[//leboudoirstquayportrieux.fr/image/ssfisjgniwerg.pdf
https:[//quiz.walkprints.com/wp-includes/js/tinymce/themes/inlite/84348fh34hf.pdf
https:[//siebuhr.com/pmosker/zxc.zip
https:[//karyagrafis.com/njdfhgeroig.rar
https:[//businessquest.com.my/schedule/jdfggo.rar
https:[//maisaquihost.com.br/teste/rjkthgowertgoiwe.zip
https:[//getsolar4zerodown.info/djfhgeh.pdf
https:[//emyhope.com/wp-content/plugins/jetpack/_inc/blocks/84348fh34hf.pdf
https:[//igpublica.com.br/asset/zxc.zip
https:[//speakerpedia.in/images/zxc.zip
https:[//timamollo.co.za/sitepro/jdfggo.rar
https:[//eb3tly.online/njdfhgeroig.rar
\n
\n\n\n\n

Hashes (malicious documents):

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
15d3edcf37b1e4d03a5c61c1c7752130a9899b978c94f80d8dabc45f416fc253
16b98e2156fb721a760cd3d4e5c1a8c18dee54f795c6d8624339e25c5e33c2b1
97defc4fa68d6d3d76226b2ab02c8c3c0544b4d035083057b52d101f5884cbf1
99842250e5da8f987227c22d864ea6552cbf176710cd5c45f430bc2765cbf534
9a54d7a8551641f3c77a6f2743890f30e5d5ed4854fcadb25fc1a45bf928cefb
a633110b7d2f045d88b43c95838372d556de7bf9d2543149b9e5a984f9377539
cbbb3ffd6f20060d8176954afb0f26fb220a281fd0e49facd02be8f597f24645
d3e9f6933d519b6bd1514ceaaa14df64722214c0c6c2a60a6924c92f284b3c08
d77234374d79b24022c26ecdd16a684ae7e94efba502422d74852b0eddd4f1b4
d943478cb08756734a766eb5da189eef45577c29d33cbd679976e5cb97f2c9f2
\n
\n\n\n\n

Hashes (malware samples):

\n\n\n\n
\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
84d3573747fbdf7ca822fd5a48726484c8b617e74a920dc2a68dd039b8f576fd
a633e85176faf87dfa99e89e559e3be3f2854592a3adb9f6ea6aab88c06dd198
ad4d2f9fcadce231e18e50de3bb58028ae13eaf76a9c085d0073230e0fa17a9e
b0699861417da2e3626eb78d62d305b7ca5e03f06e5e6bfd0eea99d64306495e
b5b71c61a29f80c667772f5d008789816e0c7a53193536fc660a6f72009b23de
b66a5d391335b6dc827225b6531f172151d8a87c7514de789bcaf1999b0645ff
c37accc1f995cb32235edbea877813109627eca4b209f060bee357489c6bb31b
c6de2ef240cdca97e8d5d6fdcfc7bfd8d5c81a47204d268bd08e4b963d66a64b
c8cca37f43f4aa66b4bfbf811931c57971d2f1571cfebbb7d24235c07e108f26
cc33c8c4eb3588fdd48ddb081f77040283c2f6b8c37777f8202b858b64a5952b
d18d211cf75fbc048d785af92b76a1aa7a01e381313b1a5e66e9cf564cbe78d4
f8c974a6572fd522a64d22da3bf36db7e912ccb700bd41623ed286f1e8b0e939
fa61c3c9e2089deb3f2b40333f5ee0860177692c436c50b07eef85993a1dbfa9
fcc0db0ce710f68915b4d73274d69bb5765012b02631bb737c66a32a9a708aab
\n
\n\n\n\n

Referred Sources

\n\n\n\n
    \n
  1. The Malware Dridex: Origins and Uses // https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
  2. \n
  3. Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers //
    https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
  4. \n
  5. Dridex: A History of Evolution // https://securelist.com/dridex-a-history-of-evolution/78531/
  6. \n
  7. Evolution of the GOLD EVERGREEN Threat Group //
    https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
  8. \n
  9. Dridex (Bugat v5) Botnet Takeover Operation //
    https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation
  10. \n
  11. ZeuS Virus // https://usa.kaspersky.com/resource-center/threats/zeus-virus
  12. \n
  13. ZeuS versions // https://zeusmuseum.com/
  14. \n
  15. More than 100 arrests, as FBI uncovers cyber crime ring // https://www.bbc.com/news/world-us-canada-11457611
  16. \n
  17. Evgeniy Bogachev // https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev
  18. \n
  19. Maksim Yakubets // https://www.fbi.gov/wanted/cyber/maksim-viktorovich-yakubets
  20. \n
  21. Bugat Botnet Administrator Arrested and Malware Disabled // https://www.fbi.gov/contact-us/field-offices/pittsburgh/news/press-releases/bugat-botnet-administrator-arrested-and-malware-disabled
  22. \n
  23. Two Russians Indicted Over $100M Dridex Malware Thefts // https://www.bankinfosecurity.com/two-russians-indicted-over-100m-dridex-malware-thefts-a-13473
  24. \n
  25. Dridex Banking Trojan Makes a Resurgence, Targets US // https://www.bankinfosecurity.com/dridex-banking-trojan-makes-resurgence-targets-us-a-9079
  26. \n
  27. TA505 group updates tactics and expands the list of targets // https://securityaffairs.co/wordpress/90472/cyber-crime/ta505-recent-campaigns.html
  28. \n
  29. Email scam aims to drop Dridex on machines by impersonating FedEx, UPS // https://www.cyberscoop.com/fedex-ups-dridex-email-scam-votiro/
  30. \n
  31. Process Injection and Manipulation // https://www.deepinstinct.com/2019/09/15/malware-evasion-techniques-part-1-process-injection-and-manipulation/
  32. \n
  33. Dridex’s Bag of Tricks: An Analysis of its Masquerading and Code Injection Techniques // https://securityboulevard.com/2019/07/dridexs-bag-of-tricks-an-analysis-of-its-masquerading-and-code-injection-techniques/
  34. \n
  35. Dridex – From Word to Domain Dominance // https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/
  36. \n
  37. Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware // https://home.treasury.gov/news/press-releases/sm845
  38. \n
  39. The FSB’s personal hackers // https://meduza.io/en/feature/2019/12/12/the-fsb-s-personal-hackers
  40. \n
  41. Malware Analysis of Dridex, BitPaymer and DoppelPaymer Campaigns // https://lifars.com/2019/11/analysis-of-dridex-bitpaymer-and-doppelpaymer-campaign/
  42. \n
  43. BitPaymer Source Code Fork: Meet DoppelPaymer Ransomware and Dridex 2.0 // https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
  44. \n
  45. WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group // https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
  46. \n
  47. Reverse Engineering Dridex And Automating IOC Extraction // https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction
  48. \n
\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/","tags":[],"score":0.007072258275002241,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};