Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Signed Dridex Campaign
Security Research

Signed Dridex Campaign

image
TARUN DEWAN
August 24, 2015 - 3 Lesezeit: Min
Einblicke zum Thema Sicherheit

Inhalt

  1. Artikel
  2. Weitere Blogs

Einführung

Malware authors use various means to make their malware look similar to legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently we saw Dridex malware authors using this technique while reviewing the samples in our Cloud Sandbox. Dridex is a banking Trojan which typically arrives to a system via malicious spam email with a Microsoft Office file as an attachment. These files will have embedded macros that lead to the download and installation of the Dridex Trojan. Dridex then attempts to steal the victim's banking credentials and system information.
 

Signed Dridex campaign

Here we came across one malicious attachment with an encrypted macro that downloads signed Dridex samples from 81.17.28.101/bt/bt/sti[.]php. This Dridex sample is packed using a custom packer, which is is compiled with .NET. The current Dridex is signed with a certificate that is issued to Private Person Parobii Yuri Romanovich. This certificate as been specially created for spreading the Dridex malware.

 
Image
Zertifikat
 
 
 
 
 
We also saw the following signer information in the certificates used for signing the Dridex executables:
  • PJSC "BIZNES AVTOMATYKA
  • AVTOZVIT Scientific Production Private Company
  • Private Person Parobii Yuri Romanovich
The certificates were all issued by COMODO and we observed the following URLs serving the signed Dridex malware:
  • 185.14.29.214/bt/bt/sdp [.] php
  • 81.17.28.101/bt/bt/sti [.] php
  • 5.196.241.204/bt/bt/ched [.] php
  •  217.12.203.171/bt/bt/freda [.] php
  • 94.250.252.13/bt/bt/stata [.] php
  • 149.202.146.176/bt/bt/chdid [.] php
  • 93.170.105.60/bt/bt/grtes [.] php
Below are the Dridex samples served from the aformentioned URLs. All tof he samples are packed with the same .NET packer mentioned above:
  • 5CA1DBA1C72AC999E221DE98BBC584C4
  • 9E73E0C4B92253C5F8B6648F29B28B5B
  • CD243B30B9BBD682C082CFEFDBF79ACD
  • E578618F2D38FC251D52D1366144404F
  • 5F907702CE229937955B4DCE92EC4575
  • DC443FBB5FB6125EBEEEBEC2E4BAA372
  • 0BBC8CD08E9958ACDE0519A2B2840CD7
  • 9D1D0632329F04D8B1EC21AFF4CE6493
  • 32230D747829DCF77841F594AA54915A
  • 8F1A9A9830FF02C5C2BA4C17DFE8B09D
  • 00DCA835BB93708797A053A3B540DB16
  • 393E2145F4C3E9B5697A2AAEB25AA8D3
  • 1992170FDC642D4A99A7BC82BA82FA31
  • 9261B8EAF1DA3D9CFF522875A7198667
  • FB67C85F3F42D3E48B9E7B7637D30858
  • E578618F2D38FC251D52D1366144404F
Dridex Packer:
The Dridex sample is embedded in the resource section of the packer. After unpacking, it drops a Borland Delphi executable file. The following is the snapshot of encrypted resource section:
 
Image
Encrypted Resource Section
Dridex Activity:
The current Dridex sample tries to connect to different IPs included in the config file. The config file for the sample is embedded in the sample itself. In the config file we observed a botnet ID and list of  C&C servers. Below is a snapshot of config file:
 
Image
Konfigurationsdatei 
Dridex collects and sends the following system information to one of the C&C mentioned in the config file:
  • Computer Name
  • Benutzername
  • Windows Version
  • Botnet ID
Image
Information sent to the server
Below is the complete list of C&Cs it tries to connect.
  • 80.247.233.18
  • 91.121.82.113
  • 69.164.213.85
  • 79.143.191.147
  • 199.241.30.233
  • 162.243.12.14
  • 188.93.73.90
  •  195.154.184.240

Fazit

The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based allowlist approach by signing their samples. Zscaler ThreatlabZ is actively monitoring these signed malware campaigns and ensuring coverage for our customers.
 
Analysis by Tarun Dewan and Nirmal Singh
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

vote yes
Ja, sehr hilfreich!
vote no
Nicht wirklich

Haftungsausschluss: Dieser Blog-Beitrag wurde von Zscaler ausschließlich zu Informationszwecken erstellt und wird ohne jegliche Garantie für Richtigkeit, Vollständigkeit oder Zuverlässigkeit zur Verfügung gestellt. Zscaler übernimmt keine Verantwortung für etwaige Fehler oder Auslassungen oder für Handlungen, die auf der Grundlage der bereitgestellten Informationen vorgenommen werden. Alle in diesem Blog-Beitrag verlinkten Websites oder Ressourcen Dritter werden nur zu Ihrer Information zur Verfügung gestellt, und Zscaler ist nicht für deren Inhalte oder Datenschutzmaßnahmen verantwortlich. Alle Inhalte können ohne vorherige Ankündigung geändert werden. Mit dem Zugriff auf diesen Blog-Beitrag erklären Sie sich mit diesen Bedingungen einverstanden und nehmen zur Kenntnis, dass es in Ihrer Verantwortung liegt, die Informationen zu überprüfen und in einer Ihren Bedürfnissen angemessenen Weise zu nutzen.

Weitere Zscaler-Blogs erkunden

A cyber criminal shopping for malware

Agniane Stealer: Dark Web’s Crypto Threat

Blog lesen
Business people walking through a city

The Impact of the SEC’s New Cybersecurity Policies

Blog lesen
Digital cloud illuminated in blue

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Blog lesen
TOITOIN Trojan

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Blog lesen

01 / 02

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.