April 23, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emotet Malware Massive Email Campaign
September 11, 2020Rewterz Threat Alert – New CDRThief Malware Steals VoIP Metadata from Linux Softswitches
September 11, 2020Rewterz Threat Alert – Emotet Malware Massive Email Campaign
September 11, 2020Rewterz Threat Alert – New CDRThief Malware Steals VoIP Metadata from Linux Softswitches
September 11, 2020
Severity
Medium
Analysis Summary
After a pause in the activities involving the Dridex malware, three documents containing the Dridex malspam malware have been discovered. The documents obtained followed the same infection process as previous iterations of Dridex. In order to deploy Dridex on a vulnerable Windows host, the victim must download the document and enable macros. Upon doing so, the macro will cause Powershell to retrieve a DLL over HTTPS encrypted traffic. This DLL is the installer for Dridex and is immediately run. Post-infection, Dridex makes HTTPS calls in order to obtain the requisite malspam data. Persistence is obtained via three simultaneous methods: Windows Registry update, scheduled task, and Windows Startup menu shortcut. The malware uses existing EXE files to load the malware. The specific DLLs used by Dridex are named in such a way that they match legitimate DLLs and would be run by corresponding EXEs. Beyond any blatant changes, the Dridex malware is unchanged and traffic patterns are the same. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.
Impact
- Theft of sensitive information
- Financial loss
Indicators of Compromise
MD5
- 157bd8086064f292226162aa698c7c30
- fdd760e04f9f6e13ed4afc641c0a2112
- afda174d91c3bf5b4efef501ee0ca0f1
- e33256efd8b0b2214938766fde51cbd7
- 3642312be4d052462fe9c0f7ca155cfb
- 4b5e6a3741121673cefe45153795026a
- 537cb77a4bdd9abaaf61e7f25b374ec8
SHA-256
- 27379612c139d3c4a0c6614ea51d49f2495213c867574354d7851a86fdec2428
- 790b0d9e2b17f637c3e03e410aa22d16eccfefd28d74b226a293c9696edb60ad
- 4d7d8d1790d494a1a29dae42810a3a10864f7c38148c3600c76491931c767c5c
- 9b747e89874c0b080cf78ed61a1ccbd9c86045dc61b433116461e3e81eee1348
- fd8049d573c056b92960ba7b0949d9f3a97416d333fa602ce683ef822986ad58
- 719a8634a16beb77e6d5c6bb7f82a96c6a49d5cfa64463754fd5f0e5eb0581be
- fee5bb973112d58445d9e267e0ceea137d9cc1fb8a7140cf9a67472c9499a30f
SHA1
- ee3514f16055d01ba7b20c98b3d22d68ed6539d5
- dccac7015dd1cd5e630ae48d96f3695535cada61
- acf9129fd3a9f4e6d31377fdbfb5f4088c0dbbb2
- 51a1c75e5faafce6d4181887d689f0767782a66f
- 9b8736f8c656bd26c7f7c7dec0e0ac82d53c5c07
- 12e130a6ae14134d6e40aea8ef000ec0880f4cf8
- 93c8937a2e46881ed6ac8f4574ed51d3eed6be4c
Source IP
- 67[.]213[.]75[.]205
URL
- https[:]//thecandidtales[.]com/wuom4a[.]rar
- https[:]//teworhfoundation[.]com/zd0pcc[.]rar
- https[:]//teworhfoundation[.]com/4jvmow[.]zip
- https[:]//thecandidtales[.]com/doakai[.]zip
- https[:]//safaktasarim[.]com/7zcsfo[.]txt
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from unknown sources.
- Do not enable macros for untrusted files.
