DRIDEX is steadily regaining its footing in the US just over a month after its takedown orchestrated by US and UK law enforcement agencies. Taking down servers is a significant step in crippling botnets, but unless all infrastructure are destroyed and all threat actors are caught, threats like DRIDEX are bound to resurface. As such, it is the responsibility of security researchers to continually monitor threats after takedowns and collaborate to eventually destroy them. Trend Micro prioritizes supporting arrests over takedowns where possible for exactly this reason, as seen in our recent joint arrest with NCA in the UK.
Figure 1. Distribution of victims, October 13 to November 23
Meanwhile, our fight against DRIDEX continues. We are seeing multiple DRIDEX-related spam runs, most of which are using social engineering lures that involve financial matters such as an invoice, an unpaid bill, a financial statement, current credit balance, or receipt. We have seen around 10 variants with varying contents and all using the English language from the spam run that started as early as November 13.
Figure 2. Spam used to spread DRIDEX
Figure 3. Spam used to spread DRIDEX
Looking further into these spam runs, we see that they were ran by DRIDEX botnets that have been around as early as August 2014. The DRIDEX botnet is separated into segments using a number coding system that identifies which actors, campaigns, or targets are involved. In these recent spam runs, we found that the ID or segment used is one that we have seen since 2014. This development further validates previous findings that the DRIDEX botnet was not totally taken down.
Figure 4. Affiliate code found in recent spam runs
Our analysis of the new variants suggests that it is using the same complex coding techniques of obfuscation and indirect calls as past variants to make analysis more difficult. In a previous analysis, we noted that the code contains strings related to sending e-mail. We are still checking if these new variants can send email, which would, in effect, bring the entire infection chain for DRIDEX full circle.
Figure 5. DRIDEX code
Macro Malware: Old Threat, Still Around
Both Excel and Word documents are being used in these spam runs. When opened, these Office files contain a macro which, in turn, downloads the malicious DRIDEX file. No vulnerability is needed, although by default macros are disabled in both Excel and Word (with a notification to the user that macros were present but disabled).
Macro malware is a long-standing threat that has seen some revival in recent years to distribute threats like ransomware. This tactic was used to spread DRIDEX in the past, and it appears that its creators are relying on similar tactics once again.
While it will take time for DRIDEX to regain its former strength, these new spam run indicate that the masterminds behind DRIDEX have regrouped and restarted their criminal activity. Users who thought DRIDEX was no longer a problem will have to think again. Users should disable the ability to run macros if they don’t need them; by default this is how Excel and Word are configured.
Hashes
We use a variety of detection names to detect this threat:
- TSPY_DRIDEX.AT
- TSPY_DRIDEX.AU
- TSPY_DRIDEX.SPB
- TSPY_DRIDEX.YJL
- TSPY_DRIDEX.YYSOX
- W2KM_DRIDEX.YYSOZ
- W2KM_DRIDEX.YYSPB
- X2KM_DRIDEX.AT
- X2KM_DRIDEX.YJP
- X2KM_DRIDEX.YJQ
The malicious files involved in this attack have the following hashes:
- 2681298227530857ecb7fd0483f6a2b502199ae7
- 27e044382787ce6fb939c3dc719bddf5a9079884
- 5768b9ffd34b494caa57fcbfdbba7658ab99af5e
- 5fc76c8bc0ca79f7b32363ae349a4d043457cf28
- 60609f9274a451dea2b4db2140d6f5f25db67217
- 7186faf622c2991c85902c92eda1d1120ed43052
- 8446015cf96a658aaa2caec9c5137ea2b4389027
- 88bf75c330be4f6c4c0ecd93e549cfd24e27b736
- 8b652145f06d023c8366fd391bc1c38474be06f5
- b8fe8a934da236ab2a92047d3e955a7ac8267412
- caad3ce34fa26e84496672d6694ace512226b83d
- d9f50bfd4d2e6bc8b4b8f8a749a2a112b38c7fd8
- ea2552e862d47d739cb5772ac806ac20fabb9f35
Additional analysis by David John Agni, Franz Ryan Englis, and Michael Marcos
