Massive Dridex Spam Runs, Targeting UK

Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD.

Dridex campaigns separated by subject.

Times on this graph are based on Helsinki’s time zone.

The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at 8:30 GMT, with a very lengthy booking confirmation text body stating that the attached document needs to be printed out. See below.

Dirdex spam, subject: Your Booking

The attachment is a .zip file, containing a compressed file, either in .zip or .rar format. The doubly compressed item is either a vbs-script for downloading and executing the Dridex banking trojan loader binary, or a Quant loader binary for downloading the same Dridex binary.

The second campaign started around 13:30 GMT and had a similar theme as the first one with subject lines such as “uk_confirmation_ph948261563.pdf” (numbers vary). The attached file is also a double zip-compressed file, but contained the Dridex loader binary without any intermediate downloader malware. And a text file with instructions (which if followed, results in compromise).

Dridex spam, subject: uk comfirmation

The third spam run began just before 18:00 GMT, and had subject lines such as “Emailing: P2993995.JPG” (numbers vary), and had a double compressed zip-file attachment. The body of the mail gave the impression that it was a bounce message from a mail server. The compressed items were similar to the second run, comprising of a Dridex binary and a short text file stating the binary needs to be executed.

Dridex spam, subject: Emailing

This campaign of the Dridex banking trojan (campaign ID 7200) is targeting customers of multiple commercial banks in the UK, such as Barclays, Lloyds, and Santander.

The loader phones home to:

  • 8.8.247.36:443
  • 81.12.229.190:8043
  • 107.170.0.14:8043
  • 37.120.172.171:4143

IoCs:

7f4aec2a738d13f4e0882ae917578f9176aab05d
32b442717c22a1e84d6eafbb20d794f781db4f05
694266450ffedf4008f0cf0e5573c63c56f2e5d0
e815d6b25675629a85d64a1f2d450da02c8cc579
299cd2cd9f4942b143c51e6d1e10ea240edcd65a
4379ab1633143b855e553d507366104c9d51b20d
5f9f46f34fdaceb6b2bb74043eb6cbbd2657fe16
7e3b81248835d59cfa780a315836694950fbc88c
9baf8662843220f52d0d5797efc70f886e60138f
9bddc3695c7272f3d848afe7a763d61497e518ab
d4ea89cfd13794c8c79625e74e6f4e44be9bfa27
176e33b265829b7c1922be76652ec254148eb278
4f60ec876a7b59d547c01977bb13aba95114290b
baf1d46ffeae15faffc6a905a2b6797bf06d0734
71792564c59392c6f875c18bb62b7f501ba48a5d
feebdfc11a48fb72497683aa9a3447256ea04fb2
1f98860ad4fd5b8e59069a069735864f5756bc70
2fc7a8b3fabc1c4824fd5eebd9150a7f6efce740
637d81336b0734b43fe724c7b5411bb428dec54a
e13fbb78710f6b3fa1981b9e958494b1f6de6d16
f2592c565e0e3483e7aae18863e3f0558a78ba1f
539af507be8ca297ce0aa14054b31a93a5998c0e
9a418586f2741f47e7e827e67d83d6ff7ca45ab0
cc5a97d500161cd80eec1cab210583cdff003c2c
155863bcd4ea677986beb13b1e519f3f71cf2183
hxxp://solucionesfenix[.]net/33f3v3.exe
hxxp://nzhat[.]net/9jgtyft6

We detect these threats with detections such as:

  • Trojan-Downloader:VBS/Kavala.Z
  • Trojan:W32/Dridex.O!DeepGuard
  • Trojan:W32/Crowti.A!DeepGuard
  • Trojan.Agent.CFKS
  • Trojan.Agent.CFKI


Articles with similar Tags