Not dead yet: Dridex actors resume operation with new distribution and Shifu banking Trojan

Share with your network!

Following a month-long hiatus after a number of arrests, and despite a recent reported takedown, Dridex actors appear to have taken the recent disruptions as a challenge to bounce back better than ever. Proofpoint researchers analyzed the activity in the recent return to operations of the Dridex actors and identified numerous changes in behavior, from technical innovations to distributing other banking and data-stealing malware. Key points include:

  • Dridex spam ceased in the month of September following the arrest of Andrei Ghincul, aka Smilex, allegedly responsible for much of Dridex spam. [1] [2] [3]
  • Dridex spam resumed at the beginning of October, with all of the sub-botnets delivered by the same spam botnet.
  • Dridex 220 botnet operations resumed on October 1 and have been going strong since.
  • Dridex 120 operations resumed on October 16.
  • Proofpoint observed a new Dridex botnet ID 301 and a rarely-seen Dridex botnet ID 121.
  • Proofpoint observed return of exceptional volumes of spam, with multiple days exhibiting message volumes at or above the busiest days of the past six months.
  • The same spam botnet that distributes Dridex also spread the Shifu banking Trojan, targeting Japanese and UK users and demonstrating that the actors are willing to diversify.
  • The botnet also spread Ursnif data-stealing malware targeting Australian users.

The Five Elements of a Modern Attack

When attempting to decipher the recent developments around Dridex it may be useful to place them in the context of the larger framework employed by many modern cyberattackers. Such a framework typically consists of five elements: Actor, Vector, Hoster, Payload, and C2.

  1. Actor: The attacker organization; real humans driven by various motivations, often financial for cybercriminals.
  2. Vector: The delivery mechanism; email via attacker-controlled or leased spam botnet is a dominant vector, though social media is growing.
  3. Hoster: The sites hosting malware; if malware is not directly attached to email, macro-enabled documents or exploit-kit emplaced droppers will source from these sites.
  4. Payload: The malware; software that will enable the attacker to make use of (control, exfiltrate data from, download more software to) the target computer.
  5. C2: the command and control channel that serves to relay commands between the emplaced malware and attackers.

This framework enables attackers to operate in robust, horizontally segmented ecosystems, specializing in developing certain parts of the framework, and selling or leasing to others; such frameworks are resistant to takedowns and individual component failures. But such frameworks also increase attackers' detection surface; that is, their susceptibility to discovery. By tracking each of these elements, defenders can infer other elements and take the appropriate defensive measures. 

Dridex botnets observed

Dridex 220 operations resumed on October 1 and have been going strong since. The Dridex 220 botnet takedown announced October 13 seemed to be followed by just a 1-day pause in spam activity, on October 14. Proofpoint has since observed fourteen daily Dridex 220, and testing shows that this malware is currently able to successfully pull down DLLs and configuration files.

Dridex 120 operations resumed on October 16 and Proofpoint has since observed seven daily campaigns for this botnet. In addition, Proofpoint observed new sub-botnet IDs, specifically 301 and 121. The following are the specific Dridex botnets and the dates on which they were observed by Proofpoint:

  • Dridex 220: October 1, 5, 6, 7, 8, 9, 12, 13, 15, 19, 21, 22, 23, 26
  • Dridex 120: October 16, 19, 20, 22, 26, 27, 28
  • Dridex 121: October 19
  • Dridex 301: October 22

Dridex spam volumes and observations

In these spam campaigns, Proofpoint researchers noted the following details:

  • October 22 was remarkable in that we detected 4 Dridex spam campaigns: Dridex botnets 120, 220 (morning and evening) and 301 were all distributed by spam bots in a single day
  • The largest volume of messages sent out in a single campaigns was two times the average message volume of Dridex campaigns in October (Dridex Botnet 220 - 19th October)
  • The smallest volume of email messages sent out in a single campaign was a sub-100 message campaign for Dridex botnet 121 on October 19
  • We continue to see invoice and transaction email lures (Fig. 1) used widely
  • Most of the emailed malicious document attachments are empty or used a generic “Enable macros to view this document” lure. However, the tiny Dridex 121 campaign of October 19 employed an interesting document lure (Fig. 2)


Figure 1: Invoice lure from October 21 Dridex 220 campaign


Figure 2: High-quality document lure from October 19 Dridex 121 campaign

Shifu banking Trojan

The same botnet (consisting of around 4 to 10 thousand infected spam machines, depending on the day) distributing Dridex 120, 220, 121 and 301 [5], was also observed distributing the Shifu banking Trojan, demonstrating that the actors are willing to diversify or are looking for additional options should law enforcement actions prove successful.

First reported in late August [6], the Shifu banking Trojan combines features from numerous other well-known banking Trojans, including Zeus, Dyre, Dridex and others. While this sophisticated hybrid employs a configuration file similar in format and technique to that of Dridex, it also has stealth, obfuscation, anti-analysis, C2 and even anti-malware [7] capabilities that Dridex does not, and has to date been observed targeting primarily banking customers in Japan and the UK.

On October 7, the botnet sent out emails in Japanese claiming be a confirmation for an order, but which in reality contained attachments such as "1312061102_13233939se.doc" that used macros to download a Shifu banking Trojan targeting Japanese users.


Figure 3: Email with order confirmation lure distributing Shifu targeting Japanese users

On October 20, another campaign was observed using messages with the Subject "Purchase Order No: 48847" and containing attachment "PO_48847.DOC,” or with subject "john.doe@somecompany.com" (the recipient's address) and attachment "FINAL NOTIFICATION.xls." The attachments are Microsoft Office documents containing malicious macros which download Shifu banking Trojan, this time targeting customers of banks in the United Kingdom. [4] (Fig. 4)


Figure 4: Email with order confirmation lure distributing Shifu targeting UK users

We previously observed this spam botnet spreading primarily Dridex, which might be taken to suggest that it was under the control of a single group or small set of individuals. On its own, however, this fact is not enough to connect these instances of Shifu to the actors distributing Dridex; for example, the infected machines could be infected with more than one spam bot, or the spammer could simply be doing a friend a favor. However, additional analysis revealed other commonalities: for example, the builder used to generate the Shifu documents was the same one used by Dridex 220, with similar file names, empty document body, similar payload location URI structure (that is, location from which the Microsoft Word document downloads the Shifu or Dridex payload).

Example Payload URLs for October 20 Shifu:

[hxxp://ladiesfirst-privileges[.]com/656465/d5678h9.exe]

[hxxp://papousek.kvalitne[.]cz/656465/d5678h9.exe]

[hxxp://pmspotter[.]wz[.]cz/656465/d5678h9.exe]

Example Payload URLs for October 19 Dridex 220:

[hxxp://demo9.iphonebackstage[.]com/35436/5324676645.exe]

[hxxp://euroagroec[.]com/35436/5324676645.exe]

[hxxp://webmatique[.]info/35436/5324676645.exe]

On October 28, Proofpoint researchers observed another large campaign that appeared to be from the same actor, also distributing Shifu and targeting UK users with an “Order Confirmation” lure and malicious document attachment. In another example of this actor’s continued variation of payloads, the campaign employed a Neutrino Bot as the initial payload, which then downloaded Shifu as a second payload.

Ursnif data-stealing malware

In October, this same spam botnet was observed also spreading Ursnif data-stealing malware. For example, on October 21 there was a campaign of Australian-targeted emails containing randomly named attachments that used malicious macros to download Ursnif. Interestingly, the documents employed the same visual template as was utilized by Dridex sub-botnet 200 back in April 2015. (Fig. 5)


Figure 5: Document that downloads Ursnif once macros are enabled

The Ursnif sample analyzed by Proofpoint targeted users of the following banking sites:

suncorpbank.com.au

commbank.com.au

bendigobank.com.au

westpac.com.au

stgeorge.com.au

banksa.com.au

bankofmelbourne.com.au

nab.com.au

anz.com

ibanking.*.au

bankwest.com.au

banking?.anz.com

wintrade-international.com.au

Conclusion

Recent observations by Proofpoint researchers have confirmed that the Dridex 220 botnet more than survived recent takedown attempts. Moreover, these analyses show that the actors behind the Dridex 220 botnet are in fact also behind recent Shifu campaigns in the UK and Japan, and at least one Ursnif campaign targeting Australian banking customers. These findings underscore the resilience and adaptability of these actors and highlight the danger they continue to pose to individuals and organizations.

References

[1] https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

[2] https://isc.sans.edu/forums/diary/Botnets+spreading+Dridex+still+active/20295

[3] www.justice.gov/opa/pr/bugat-botnet-adaministrator-arrested-and-malware-disabled

[4] https://www.lexsi.com/securityhub/dridex-bruteres-inside-the-dridex-spam-machine/?lang=en

[5] http://researchcenter.paloaltonetworks.com/2015/10/dridex-is-back-and-targeting-the-uk/

[6] https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

[7] http://www.darkreading.com/vulnerabilities---threats/new-shifu-banking-trojan-an-uber-patchwork-of-malware-tools/d/d-id/1322039

IOCs

Value Type
f7c1a6a0ed3b8acac3c9da8c7dc4b6861ab942ea69a5478a4228249d8a3a4416 Spammed Shifu document Oct 20th
be8966a576167b2b151e0515fc46f7952d9a616754214550961bbf95fde420f7 Spammed Shifu document Oct 20th
7f5fa44008064ca6cf59cf165770e4db8a7764bd14cf92586b8ecb65de756756 Spammed Shifu document Oct 20th
80ded7a1e98b524e7b4a123a741892a40b862d3f05d949ae88f401e94c4b1a6a Spammed Shifu document Oct 20th
c9602e7c64ea66b4a90f9ad6ccabcbba4243dd04cbb87554a056e97239900258 Spammed Shifu document Oct 20th
9f598aa8751d9a7b5a6afe1d6e1e930d92c2131bd2f7c1839ba94307934b1e91 Spammed Shifu document Oct 20th
a8e2788f371decce59d5cf7f02b7cf187406ae277e370fea112b58a437a55577 Spammed Shifu document Oct 20th
[hxxp://ladiesfirst-privileges[.]com/656465/d5678h9.exe] Spammed Shifu document Oct 20th
[hxxp://papousek.kvalitne[.]cz/656465/d5678h9.exe] Shifu downloaded by doc Oct 20th
[hxxp://pmspotter.wz[.]cz/656465/d5678h9.exe] Shifu downloaded by doc Oct 20th
[hxxps://fat.uk-fags[.]top:443/nova/userlogin.php] Shifu C2 Oct 20th
00c791c4a0a15aad0e09612c0d0c52ec1c512dbd305a75d0907fcbc55bc55029 Spammed Shifu document Oct 7th
6e6d80575154523a2b7207f8263f79b3c9cc08dcc30c23084d2c3103e15b41d7 Spammed Shifu document Oct 7th
e30760f00946465475fd62d573052a7d7868212bdcf5d3b5f4a4cf636cf6230e Spammed Shifu document Oct 7th
246ec2f4cdf0e18dc874644a09c369232ec70821a4b11a40dd7c133afb2ad70d Spammed Neutrino doc Oct 28th
92f733da9ba440f0632b495a32742d47a5cb296f49127f210e14de412e371bf8 Spammed Neutrino doc Oct 28th
03626c8036299e08b705f193337d44934ee45ddc373a368c71e8ef073ec674e8 Spammed Neutrino doc Oct 28th
[hxxp://www.profes-decin.kvalitne[.]cz/345gfc334/65g3f4.exe] Shifu downloaded by doc Oct 7th
[hxxp://leelazarow[.]com/345gfc334/65g3f4.exe] Shifu downloaded by doc Oct 7th
[hxxp://rockron[.]com/~rockron/345gfc334/65g3f4.exe] Shifu downloaded by doc Oct 7th
[hxxps://freewebpj[.]com:443/news/userlogin.php] Shifu C2 Oct 7th
ae5daa6843232cf77e4e075aa7312e9df83a517111e857ee56dd553d6da3ca5c Spammed Ursnif document Oct 21st (one of hundreds)
[hxxp://culinarysouthmountain[.]com/wp-admin/css/colors/midnight/07c1.jpg] Ursnif document getting payload
[hxxp://analisticfortrading[.]com] Ursnif Webinject C2
[hxxp://clientalnothing[.]me] Ursnif DGA C2
[hxxp://allowclientaxpalagent[.]me] Ursnif DGA C2
[hxxp://clientalalaxp[.]mn] Ursnif DGA C2
[hxxp://useralcliclient[.]me] Ursnif DGA C2
[hxxp://agentclientclient[.]me] Ursnif DGA C2
[hxxp://jscclientagentdisa[.]me] Ursnif DGA C2
[hxxp://clialjscnotjclientcli[.]me] Ursnif DGA C2
[hxxp://85.93.5.21/vnc32.dll] Ursnif VNC
[hxxp://85.93.5.21/vnc64.dll] Ursnif VNC