• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   DRIDEX Spam Runs Resurface Against US Targets

DRIDEX Spam Runs Resurface Against US Targets

  • Posted on:November 25, 2015 at 4:36 am
  • Posted in:Malware, Spam
  • Author:
    Ryan Flores (Threat Research Manager)
2

DRIDEX is steadily regaining its footing in the US just over a month after its takedown orchestrated by US and UK law enforcement agencies. Taking down servers is a significant step in crippling botnets, but unless all infrastructure are destroyed and all threat actors are caught, threats like DRIDEX are bound to resurface. As such, it is the responsibility of security researchers to continually monitor threats after takedowns and collaborate to eventually destroy them. Trend Micro prioritizes supporting arrests over takedowns where possible for exactly this reason, as seen in our recent joint arrest with NCA in the UK.

Figure 1. Distribution of victims, October 13 to November 23 

Meanwhile, our fight against DRIDEX continues. We are seeing multiple DRIDEX-related spam runs, most of which are using social engineering lures that involve financial matters such as an invoice, an unpaid bill, a financial statement, current credit balance, or receipt. We have seen around 10 variants with varying contents and all using the English language from the spam run that started as early as November 13.

Figure 2. Spam used to spread DRIDEX

Figure 3. Spam used to spread DRIDEX

Looking further into these spam runs, we see that they were ran by DRIDEX botnets that have been around as early as August 2014. The DRIDEX botnet is separated into segments using a number coding system that identifies which actors, campaigns, or targets are involved. In these recent spam runs, we found that the ID or segment used is one that we have seen since 2014. This development further validates previous findings that the DRIDEX botnet was not totally taken down.

 

Figure 4. Affiliate code found in recent spam runs

Our analysis of the new variants suggests that it is using the same complex coding techniques of obfuscation and indirect calls as past variants to make analysis more difficult. In a previous analysis, we noted that the code contains strings related to sending e-mail. We are still checking if these new variants can send email, which would, in effect, bring the entire infection chain for DRIDEX full circle.

Figure 5. DRIDEX code

Macro Malware: Old Threat, Still Around

Both Excel and Word documents are being used in these spam runs. When opened, these Office files contain a macro which, in turn, downloads the malicious DRIDEX file. No vulnerability is needed, although by default macros are disabled in both Excel and Word (with a notification to the user that macros were present but disabled).

Macro malware is a long-standing threat that has seen some revival in recent years to distribute threats like ransomware. This tactic was used to spread DRIDEX in the past, and it appears that its creators are relying on similar tactics once again.

While it will take time for DRIDEX to regain its former strength, these new spam run indicate that the masterminds behind DRIDEX have regrouped and restarted their criminal activity. Users who thought DRIDEX was no longer a problem will have to think again. Users should disable the ability to run macros if they don’t need them; by default this is how Excel and Word are configured.

Hashes

We use a variety of detection names to detect this threat:

  • TSPY_DRIDEX.AT
  • TSPY_DRIDEX.AU
  • TSPY_DRIDEX.SPB
  • TSPY_DRIDEX.YJL
  • TSPY_DRIDEX.YYSOX
  • W2KM_DRIDEX.YYSOZ
  • W2KM_DRIDEX.YYSPB
  • X2KM_DRIDEX.AT
  • X2KM_DRIDEX.YJP
  • X2KM_DRIDEX.YJQ

The malicious files involved in this attack have the following hashes:

  • 2681298227530857ecb7fd0483f6a2b502199ae7
  • 27e044382787ce6fb939c3dc719bddf5a9079884
  • 5768b9ffd34b494caa57fcbfdbba7658ab99af5e
  • 5fc76c8bc0ca79f7b32363ae349a4d043457cf28
  • 60609f9274a451dea2b4db2140d6f5f25db67217
  • 7186faf622c2991c85902c92eda1d1120ed43052
  • 8446015cf96a658aaa2caec9c5137ea2b4389027
  • 88bf75c330be4f6c4c0ecd93e549cfd24e27b736
  • 8b652145f06d023c8366fd391bc1c38474be06f5
  • b8fe8a934da236ab2a92047d3e955a7ac8267412
  • caad3ce34fa26e84496672d6694ace512226b83d
  • d9f50bfd4d2e6bc8b4b8f8a749a2a112b38c7fd8
  • ea2552e862d47d739cb5772ac806ac20fabb9f35

Additional analysis by David John Agni, Franz Ryan Englis, and Michael Marcos

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: DRIDEXfinancial spamonline banking malwareSpam

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.