Blog

Archive for May 12th, 2020

Malspam with links to zip archives pushes Dridex malware, (Wed, May 13th)

Introduction

In recent weeks, I continue to run across examples of malicious spam (malspam) pushing Dridex malware.  While malspam pushing Dridex can use attachments (usually Excel spreadsheets with malicious macros), I tend to focus on malspam using links to zip archives for Dridex.  Today’s diary, provides a quick rundown of link-based Dridex activity on Tuesday, 2020-05-12.

Chain of events for these infections:

  1. Link from malspam
  2. Downloaded zip archive
  3. Extracted and execute VBS file
  4. Initial Dridex DLL dropped under C:ProgramData directory
  5. HTTPS/SSL/TLS traffic caused by Dridex
  6. Three different Dridex DLLs loaded through copies of legitimate system files made persistent through a Windows registry entry, a scheduled task, and a shortcut in the Windows startup menu

The malspam

See the following images for 4 examples of the 14 samples I collected on Tuesday 2020-05-12.


Shown above:  Malspam pushing Dridex malware on Tuesday 2020-05-12, example 1 of 4.


Shown above:  Malspam pushing Dridex malware on Tuesday 2020-05-12, example 2 of 4.


Shown above:  Malspam pushing Dridex malware on Tuesday 2020-05-12, example 3 of 4.


Shown above:  Malspam pushing Dridex malware on Tuesday 2020-05-12, example 4 of 4.

Downloading the zip archive

When successfully downloading a zip archive from one of the email links, you get a redirect to another URL that returns the zip.  These URLs are aware of the IP address you’re coming from, so if you’re a researcher coming from a VPN or other address the server doesn’t like, it will redirect you to a decoy website.  If you try the same email link more than once (and you’re from the same IP address), each successive attempt will give you the decoy website.  These decoy websites are different for each new wave of Dridex malspam that uses links for zip archives.


Shown above:  Link from an email provides a successful redirect that will return a malicious zip archive.


Shown above:  Saving the malicious zip archive.


Shown above:  Link from an email redirects to a decoy website.


Shown above:  Decoy website when the server doesn’t like the IP you’re coming from.  The decoy site from the 2020-05-12 wave was www.ppsspp.com.

The zip archive contains a VBS file, which will use Windows script host to run and install Dridex on a vulnerable Windows host.


Shown above:  The downloaded zip archive contains a VBS file.


Shown above:  Start of the contents on the extracted VBS file.

Infection traffic

Infection traffic was typical for what I normally see with Dridex infections.


Shown above:  Traffic from an infected Windows 10 host filtered in Wireshark.  Dridex traffic is noted with the arrows.

Indicators of Compromise (IoCs)

Data from 14 email examples of malspam with links to zip archives pushing Dridex:

  • Date: Tue, 12 May 2020 10:14:37 -0700
  • Date: Tue, 12 May 2020 10:22:34 -0700
  • Date: Tue, 12 May 2020 10:42:42 -0700
  • Date: Tue, 12 May 2020 10:52:58 -0700
  • Date: Tue, 12 May 2020 11:17:48 -0700
  • Date: Tue, 12 May 2020 11:21:09 -0700
  • Date: Tue, 12 May 2020 11:41:04 -0700
  • Date: Tue, 12 May 2020 11:51:54 -0700
  • Date: Tue, 12 May 2020 11:57:37 -0700
  • Date: Tue, 12 May 2020 12:12:12 -0700
  • Date: Tue, 12 May 2020 12:24:10 -0700
  • Date: Tue, 12 May 2020 12:32:41 -0700
  • Date: Tue, 12 May 2020 12:49:01 -0700
  • Date: Tue, 12 May 2020 12:56:48 -0700

7 different sending mail servers:

  • Received: from angelqtbw.us ([147.135.60.145])
  • Received: from ariankacf.us ([147.135.60.150])
  • Received: from arzenitlu.us ([51.81.254.89])
  • Received: from falhiblaqv.us ([147.135.99.6])
  • Received: from hotteswc.us ([147.135.60.146])
  • Received: from ppugsasiw.us ([147.135.99.18])
  • Received: from pufuletzpb.us ([147.135.99.8])

14 different spoofed senders:

  • From: Abg Deem
  • From: Abg Icarus
  • From: Abg Navy
  • From: Amity Save
  • From: Arid Save
  • From: Chorus Union
  • From: Continuum Union
  • From: Cool Union
  • From: Essence Group
  • From: Goal Save
  • From: Laced Save
  • From: Seeds Group
  • From: Sleeve Union
  • From: XORtion

14 different subject lines:

  • Subject: Announcement N-75067CV306500
  • Subject: Customer your Booking N-1341KM290237
  • Subject: Invoice 9497989GM301562
  • Subject: Invoice-376198HW271105
  • Subject: Mobile Transaction 420531LA570659
  • Subject: Notification-9102YS147581
  • Subject: Payment Received 245906CW349815
  • Subject: Payment Received 7792817SK97565
  • Subject: Prevention_216443WF226975
  • Subject: Prevention_739687SL4713
  • Subject: Recipient your Inquiry N-0650581WC836637
  • Subject: Report-03551HJ5068
  • Subject: Your Bell e-Bill is ready 70605KU2719
  • Subject: Your Transaction was Approved 8877WA048712

13 different links from the emails:

  • hxxp://brisbaneair[.]com/class.cache.php
  • hxxp://carbonne-immobilier[.]com/images/2016/icons/list/api.core.php
  • hxxp://edgewaterunitedmethodist[.]org/wp-content/plugins/wordpress-seo/frontend/schema/api.engine.php
  • hxxp://inter-dekor[.]hr/wp-content/uploads/wysija/bookmarks/medium/framework.php
  • hxxp://iris[.]gov[.]mn/app/framework.php
  • hxxp://masterstvo[.]org/modules/mod_rokgallery/templates/showcase_responsive/dark/cache.php
  • hxxp://www[.]consultationdocteurpronobis[.]fr/engine.php
  • hxxp://www[.]degalmun.jjcars[.]es/owncloud/apps/encryption/lib/AppInfo/include.php
  • hxxps://azparksfoundation[.]org/wp-content/themes/twentynineteen/sass/blocks/styles.php
  • hxxps://equineantipoaching[.]com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/lib.php
  • hxxps://rudhyog[.]in/surat/include/login/api.core.php
  • hxxps://www[.]betaalbare-website[.]be/wp-content/plugins/better-wp-security/dist/core/api.engine.php
  • hxxps://www[.]boosh[.]io/class.lib.php

Traffic from an infected Windows host

  • 159.69.93[.]233 port 80 – inter-dekor[.]hr – GET /wp-content/uploads/wysija/bookmarks/medium/framework.php
  • 185.37.228[.]106 port 80 – www[.]abogadoaccidenteslaboralesen-madrid[.]com – GET /wp-content/plugins/drpsassembly/css/inc.php?[string of variables and base64-encoded data]
  • 178.128.83[.]136 port 443 – no associated domain – HTTPS/SSL/TLS traffic caused by Dridex
  • 138.122.143[.]41 port 8443 – no associated domain – HTTPS/SSL/TLS traffic caused by Dridex
  • 109.169.24[.]37 port 453 – no associated domain – HTTPS/SSL/TLS traffic caused by Dridex
  • 70.184.254[.]247 port 443 – no associated domain – HTTPS/SSL/TLS traffic caused by Dridex

Examples of malware from an infected Windows host:

SHA256 hash: ff8e2e72b1282b72f1a97abb30553d2b8d53366f429083f041c553d2a90878f6

  • File size: 571,519 bytes
  • File name: Report_224726231283.zip
  • File description: File downloaded from link in malspam pushing Dridex

SHA256 hash: a61b462f61f526c4f9d070ba792ecd4a8b842f815ed944b7f38169698bed047e

  • File size: 1,260,284 bytes
  • File name: Report~224726231283.vbs
  • File description: VBS file extracted from downloaded zip archive (designed to infect vulnerable host with Dridex)

SHA256 hash: 223e3e76df847b4e443574e616e56b348213bd0361a7f6789d21754de571cce7

  • File size: 714,240 bytes
  • File location: C:ProgramDataqEWTLCuYyH.dll
  • File description: Initial Dridex DLL dropped by above VBS file
  • Run method: regsvr32.exe -s C:ProgramDataqEWTLCuYyH.dll

SHA256 hash: 9a9e0ab271f8a27f689a350db3cecc84320dd3c708085c75d14adbafdd9da2a1

  • File size: 700,416 bytes
  • File location: C:Users[username]AppDataRoamingMicrosoftWindowsCloudStoreDyGykefYBHTDUser.dll
  • File description: Dridex DLL persistent on an infected Windows host (1 of 3)
  • File note: DLL loaded by bdeunlock.exe in the same directory, persistent through registry update

SHA256 hash: 9197396ed203f804226fb94548b4b899a46feaa7f7ff963fbccff232b5a79277

  • File size: 696,320 bytes
  • File location: C:Users[username]AppDataRoamingThunderbirdProfilesmng7115w.default-releasecrashesNiby8ztxVERSION.dll
  • File description: Dridex DLL persistent on an infected Windows host (2 of 3)
  • File note: DLL loaded by iexpress.exe in the same directory, persistent through Startup menu shortcut

SHA256 hash: 28b9c07de53e41e7b430147df0afeab278094f3585de9d78442c298b0f5209e3

  • File size: 978,944 bytes
  • File location: C:Users[username]AppDataRoamingAdobeAcrobatDCJSCacheY3skYJ7F3BDUI70.dll
  • File description: Dridex DLL persistent on an infected Windows host (3 of 3)
  • File note: DLL loaded by bdeunlock.exe in the same directory, persistent through a scheduled task

Final words

When a Dridex-infected Windows host is rebooted, the locations, names, and file hashes of the persistent Dridex DLL files are changed.

Dridex remains a feature of our threat landscape, and it will likely continue to be.  Windows 10 hosts that are fully patched and up-to-date have a very low risk of getting infected from Dridex, so it pays to follow best security practices.

Email examples, malware samples, and a pcap from an infected Windows host used in today’s diary can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft May 2020 Patch Tuesday, (Tue, May 12th)

This month we got an average Patch Tuesday with patches for 111 vulnerabilities total. Sixteen of them are critical and, according to Microsoft, none of them was previously disclosed or are being exploited.

Amongst critical vulnerabilities, there is a remote code execution (RCE) on Media Foundation caused by a memory corruption vulnerability (CVE-2020-1126). To exploit the vulnerability, an attacker has to convince the victim to open a specially crafted document or access a malicious webpage. It affects Windows 10, Windows Server 2016, and 2019.

Another RCE critical vulnerability, with an exploitability index rated as “more likely”, affects Microsoft Graphics Components (CVE-2020-1153). It affects most of the supported Windows versions – from Windows 7 to Windows Server 2019. 

The highest CVSS v3 score this month (8.80) was given to CVE-2020-1126 – the one that affects Media Foundation (mentioned above).

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Core & .NET Framework Denial of Service Vulnerability
%%cve:2020-1108%% No No Less Likely Less Likely Important    
.NET Framework Elevation of Privilege Vulnerability
%%cve:2020-1066%% No No Less Likely Less Likely Important    
ASP.NET Core Denial of Service Vulnerability
%%cve:2020-1161%% No No Less Likely Less Likely Important    
Chakra Scripting Engine Memory Corruption Vulnerability
%%cve:2020-1037%% No No Less Likely Less Likely Critical 4.2 3.8
Connected User Experiences and Telemetry Service Denial of Service Vulnerability
%%cve:2020-1084%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1123%% No No Less Likely Less Likely Important 5.5 5.0
DirectX Elevation of Privilege Vulnerability
%%cve:2020-1140%% No No Less Likely Less Likely Important 7.8 7.0
Internet Explorer Memory Corruption Vulnerability
%%cve:2020-1062%% No No More Likely More Likely Critical 6.4 5.8
%%cve:2020-1092%% No No Less Likely Less Likely Important 6.4 5.8
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2020-1175%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1051%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1174%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1176%% No No Less Likely Less Likely Important 7.8 7.0
MSHTML Engine Remote Code Execution Vulnerability
%%cve:2020-1064%% No No Less Likely Less Likely Critical 6.4 5.8
Media Foundation Memory Corruption Vulnerability
%%cve:2020-1028%% No No Less Likely Less Likely Critical 7.8 7.0
%%cve:2020-1126%% No No Less Likely Less Likely Critical 8.8 7.9
%%cve:2020-1150%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1136%% No No Less Likely Less Likely Critical 7.8 7.0
Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability
%%cve:2020-1055%% No No Less Likely Less Likely Important    
Microsoft Color Management Remote Code Execution Vulnerability
%%cve:2020-1117%% No No Less Likely Less Likely Critical 8.8 7.9
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
%%cve:2020-1063%% No No Less Likely Less Likely Important    
Microsoft Edge Elevation of Privilege Vulnerability
%%cve:2020-1056%% No No Less Likely Less Likely Critical 5.4 4.9
Microsoft Edge PDF Remote Code Execution Vulnerability
%%cve:2020-1096%% No No Less Likely Less Likely Important 4.2 3.8
Microsoft Edge Spoofing Vulnerability
%%cve:2020-1059%% No No Less Likely Less Likely Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-0901%% No No Less Likely Less Likely Important    
Microsoft Graphics Components Remote Code Execution Vulnerability
%%cve:2020-1153%% No No More Likely Less Likely Critical 7.8 7.0
Microsoft Office SharePoint XSS Vulnerability
%%cve:2020-1099%% No No Less Likely Less Likely Important    
%%cve:2020-1101%% No No Less Likely Less Likely Important    
%%cve:2020-1100%% No No Less Likely Less Likely Important    
%%cve:2020-1106%% No No Less Likely Less Likely Important    
Microsoft Power BI Report Server Spoofing Vulnerability
%%cve:2020-1173%% No No Less Likely Less Likely Important    
Microsoft Script Runtime Remote Code Execution Vulnerability
%%cve:2020-1061%% No No Less Likely Less Likely Important 6.4 5.8
Microsoft SharePoint Information Disclosure Vulnerability
%%cve:2020-1103%% No No Less Likely Less Likely Important    
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2020-1023%% No No Less Likely Less Likely Critical    
%%cve:2020-1024%% No No Less Likely Less Likely Critical    
%%cve:2020-1102%% No No Less Likely Less Likely Critical    
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2020-1069%% No No Less Likely Less Likely Critical    
Microsoft SharePoint Spoofing Vulnerability
%%cve:2020-1107%% No No Less Likely Less Likely Important    
%%cve:2020-1104%% No No Less Likely Less Likely Important    
%%cve:2020-1105%% No No Less Likely Less Likely Important    
Microsoft Windows Elevation of Privilege Vulnerability
%%cve:2020-1010%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1068%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1079%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Windows Transport Layer Security Denial of Service Vulnerability
%%cve:2020-1118%% No No Less Likely Less Likely Important 8.6 7.7
Scripting Engine Memory Corruption Vulnerability
%%cve:2020-1065%% No No Less Likely Less Likely Critical 4.2 3.8
VBScript Remote Code Execution Vulnerability
%%cve:2020-1035%% No No More Likely More Likely Important 6.4 5.8
%%cve:2020-1058%% No No More Likely More Likely Important 6.4 5.8
%%cve:2020-1060%% No No More Likely More Likely Important 6.4 5.8
%%cve:2020-1093%% No No Less Likely Less Likely Critical 6.4 5.8
Visual Studio Code Python Extension Remote Code Execution Vulnerability
%%cve:2020-1192%% No No Less Likely Less Likely Critical    
%%cve:2020-1171%% No No Less Likely Less Likely Important    
Win32k Elevation of Privilege Vulnerability
%%cve:2020-1054%% No No More Likely More Likely Important 7.0 6.3
%%cve:2020-1143%% No No More Likely More Likely Important 7.0 6.3
Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
%%cve:2020-1112%% No No Less Likely Less Likely Important 8.5 7.6
Windows CSRSS Information Disclosure Vulnerability
%%cve:2020-1116%% No No Less Likely Less Likely Important 5.5 5.0
Windows Clipboard Service Elevation of Privilege Vulnerability
%%cve:2020-1111%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1121%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1165%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1166%% No No Less Likely Less Likely Important 7.8 7.0
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2020-1154%% No No Less Likely Less Likely Important 7.8 7.0
Windows Denial of Service Vulnerability
%%cve:2020-1076%% No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Elevation of Privilege Vulnerability
%%cve:2020-1021%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1082%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1088%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2020-1132%% No No Less Likely Less Likely Important 7.0 6.3
Windows GDI Elevation of Privilege Vulnerability
%%cve:2020-1142%% No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
%%cve:2020-0963%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1179%% No No Less Likely Less Likely Important    
%%cve:2020-1141%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1145%% No No Less Likely Less Likely Important 5.5 5.0
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2020-1135%% No No More Likely More Likely Important 7.8 7.0
Windows Hyper-V Denial of Service Vulnerability
%%cve:2020-0909%% No No Less Likely Less Likely Important 7.5 6.7
Windows Installer Elevation of Privilege Vulnerability
%%cve:2020-1078%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-1114%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1087%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2020-1072%% No No Less Likely Less Likely Important 5.5 5.0
Windows Print Spooler Elevation of Privilege Vulnerability
%%cve:2020-1048%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1070%% No No Less Likely Less Likely Important 7.8 7.0
Windows Printer Service Elevation of Privilege Vulnerability
%%cve:2020-1081%% No No Less Likely Less Likely Important 7.8 7.0
Windows Push Notification Service Elevation of Privilege Vulnerability
%%cve:2020-1137%% No No Less Likely Less Likely Important 7.8 7.0
Windows Remote Access Common Dialog Elevation of Privilege Vulnerability
%%cve:2020-1071%% No No Less Likely Less Likely Important 6.8 6.1
Windows Remote Code Execution Vulnerability
%%cve:2020-1067%% No No Less Likely Less Likely Important 7.8 7.0
Windows Runtime Elevation of Privilege Vulnerability
%%cve:2020-1149%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1151%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1155%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1156%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1157%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1158%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1077%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1086%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1090%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1125%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1139%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1164%% No No Less Likely Less Likely Important 7.0 6.3
Windows State Repository Service Elevation of Privilege Vulnerability
%%cve:2020-1124%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1134%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1144%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1186%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1189%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1190%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1131%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1184%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1185%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1187%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1188%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1191%% No No Less Likely Less Likely Important 7.8 7.0
Windows Storage Service Elevation of Privilege Vulnerability
%%cve:2020-1138%% No No Less Likely Less Likely Important 7.0 6.3
Windows Subsystem for Linux Information Disclosure Vulnerability
%%cve:2020-1075%% No No Less Likely Less Likely Important 5.5 5.0
Windows Task Scheduler Security Feature Bypass Vulnerability
%%cve:2020-1113%% No No Less Likely Less Likely Important 5.3 4.8
Windows Update Stack Elevation of Privilege Vulnerability
%%cve:2020-1110%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1109%% No No Less Likely Less Likely Important 7.8 7.0

 


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →