Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD.
The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at 8:30 GMT, with a very lengthy booking confirmation text body stating that the attached document needs to be printed out. See below.
The attachment is a .zip file, containing a compressed file, either in .zip or .rar format. The doubly compressed item is either a vbs-script for downloading and executing the Dridex banking trojan loader binary, or a Quant loader binary for downloading the same Dridex binary.
The second campaign started around 13:30 GMT and had a similar theme as the first one with subject lines such as “uk_confirmation_ph948261563.pdf” (numbers vary). The attached file is also a double zip-compressed file, but contained the Dridex loader binary without any intermediate downloader malware. And a text file with instructions (which if followed, results in compromise).
The third spam run began just before 18:00 GMT, and had subject lines such as “Emailing: P2993995.JPG” (numbers vary), and had a double compressed zip-file attachment. The body of the mail gave the impression that it was a bounce message from a mail server. The compressed items were similar to the second run, comprising of a Dridex binary and a short text file stating the binary needs to be executed.
This campaign of the Dridex banking trojan (campaign ID 7200) is targeting customers of multiple commercial banks in the UK, such as Barclays, Lloyds, and Santander.
The loader phones home to:
7f4aec2a738d13f4e0882ae917578f9176aab05d 32b442717c22a1e84d6eafbb20d794f781db4f05 694266450ffedf4008f0cf0e5573c63c56f2e5d0 e815d6b25675629a85d64a1f2d450da02c8cc579 299cd2cd9f4942b143c51e6d1e10ea240edcd65a 4379ab1633143b855e553d507366104c9d51b20d 5f9f46f34fdaceb6b2bb74043eb6cbbd2657fe16 7e3b81248835d59cfa780a315836694950fbc88c 9baf8662843220f52d0d5797efc70f886e60138f 9bddc3695c7272f3d848afe7a763d61497e518ab d4ea89cfd13794c8c79625e74e6f4e44be9bfa27 176e33b265829b7c1922be76652ec254148eb278 4f60ec876a7b59d547c01977bb13aba95114290b baf1d46ffeae15faffc6a905a2b6797bf06d0734 71792564c59392c6f875c18bb62b7f501ba48a5d feebdfc11a48fb72497683aa9a3447256ea04fb2 1f98860ad4fd5b8e59069a069735864f5756bc70 2fc7a8b3fabc1c4824fd5eebd9150a7f6efce740 637d81336b0734b43fe724c7b5411bb428dec54a e13fbb78710f6b3fa1981b9e958494b1f6de6d16 f2592c565e0e3483e7aae18863e3f0558a78ba1f 539af507be8ca297ce0aa14054b31a93a5998c0e 9a418586f2741f47e7e827e67d83d6ff7ca45ab0 cc5a97d500161cd80eec1cab210583cdff003c2c 155863bcd4ea677986beb13b1e519f3f71cf2183 hxxp://solucionesfenix[.]net/33f3v3.exe hxxp://nzhat[.]net/9jgtyft6
We detect these threats with detections such as: