The Rise of Dridex and the Role of ESPs

 In Botnet, Malware, News

Last week, we have warned Swiss citizens about a new malspam run targeting exclusively Swiss internet users. The attack aimed to infect them with Dridex. Dridex is a sophisticated eBanking Trojan that emerged from the code base of Bugat / Cridex in 2014. Despite takedown attempts by the security industry and several arrests conducted by the FBI in 2015, the botnet is still very active. In 2016, MELANI / GovCERT.ch became aware of a handful of highly sophisticated attacks against small and medium businesses (SMB) in Switzerland aiming to steal large amounts of money by targeting offline payment software. During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud. Between 2013 and 2015, the Carbanak malware was used to steal approximately 1 billion USD from banks worldwide.

Read more : https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps

category type value comment
Network activity ip-dst 136.243.209.34 On port 443
Network activity ip-dst 109.235.76.95 On port 1843
Network activity ip-dst 159.226.92.9 On port 4431
Network activity ip-dst 173.196.157.250 On port 443
Network activity ip-dst 178.195.0.12 On port 8443
Network activity ip-dst 194.150.118.25 On port 3101
Network activity ip-dst 82.99.60.26 On port 443
Network activity ip-dst 195.22.127.26 On port 443
Network activity ip-dst 89.35.178.115 On port 8443
Network activity ip-dst 179.177.114.30 On port 8443
Network activity ip-dst 95.208.65.134 On port 8443
Network activity ip-dst 154.0.171.105 On port 8443
Network activity ip-dst 81.130.131.55 On port 8443
Network activity ip-dst 77.236.97.60 On port 4433
Network activity ip-dst 209.20.67.87 On port 5353
Network activity ip-dst 198.167.136.139 On port 443
Network activity ip-dst 213.222.56.155 On port 443
Network activity ip-dst 216.51.232.176 On port 4043
Network activity ip-dst 37.139.21.245 On port 8343
Network activity ip-dst 37.0.26.34 On port 443
Network activity ip-dst 46.17.3.237 On port 443
Network activity ip-dst 81.155.55.211 On port 8443
Network activity ip-dst 86.130.54.90 On port 8443
Network activity url https://talofinancial-my.sharepoint.com/personal/ashleigh_schipp_talofinancial_com_au/_layouts/15/guestaccess.aspx?docid=07697c8afb3e544808bf527394eb7154b&authkey=Adh6QVItbnSLOpXvxh_BfCs Dridex payload:
Network activity url https://yemposolutions-my.sharepoint.com/personal/amor_novicio_yempo-solu-tions_com/_layouts/15/guestaccess.aspx?docid=0ce03b9fd12d949cf91f56a7d1fbf4b93&authkey=ASOCPusN_QaBSXcCPxEkT9s Dridex payload:
Network activity url https://jensenbowers-my.sharepoint.com/personal/leeanderson_jensenbowers_com_au/_layouts/15/download.aspx?docid=068187f5a930340c89e3b7c5c9b9c24f7&authkey=AarHUbAy66DSX08VzRPQ25w JS download
External analysis attachment infection_chain.jpg

Image courtesy:  https://www.govcert.admin.ch/

Recent Posts

Start typing and press Enter to search