article featured image


Make it the rule of thumb to never open an email attachment from an unknown sender! Here’s why: The Heimdal team has collected data about a spam run that is currently rolling out, targeting random email addresses. The spam email pretends to include a scanned document. However, the included .doc contains macros, which, once accessed, will attempt to download the online bank and information thief Dridex. Here are the contents of the unsolicited email: From: [spoofed / fake return address] Subject Line: Scanned from a Xerox Multifunction Printer Contents: Please open the attached document. It was scanned and sent to you Using a Xerox Multifunction Printer. Attachment File Type: DOC, Multi-Page Multifunction Printer Location: Device Name: XRX9C934E5EEC46 For more information on Xerox products and solutions, please visit http://www.xerox.com Attached: Scanned from a Xerox Multifunction Printer.doc

How the infection happens

If the document in question is opened, it will use macros to retrieve Dridex malware from the following locations (sanitized by Heimdal Security): hxxp: // tgequestriancentre [.] co.uk/708/346.exe hxxp: // sudburyhive [.] org / 708 / 346.exe hxxp: // werktuigmachines [.] be / 708 / 346.exe hxxp: // colchester-institute [.] com / 708 / 346.exe These are compromised webpages which return Dridex. The Dridex malware is run in the memory, never dropping a single file onto the hard-drive. This reduces the payload’s footprint on the user’s system and it provides a very low detection rate for traditional security products, such as antivirus. As we can see from the VirusTotal page, the detection rates for this infostealer is extremely low: screenshot of AV detection rates In the next step, Dridex will contact a series of C&C servers to deliver the data banking harvested from the victim’s system. Our team has blocked a large number of these domains in the Heimdal Secure DNS, so our users can be protected from data leakage and data loss. Dridex then writes the following datablobs (Binary Large OBjects) to the registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{91179CCE-14A2-1D89-01D5-125992394513}\ShellFolder 01D3A3627F1088934 “= hex:90,77,a9,7c,3c,f2,f0,e5,46,1c,c3,7b,fd,97,c1,19,aa,ce,1f,c5,2f,51,80,82,3a,7f,ec, 26,a9,83,df,19,aa,d7,12,cd,2f,51,83,cc,6e,38,e3,09,ea,d9,44,13,5c,57,81,ce,ec,89,a1, 9b,d1,dc,ab,58,05,37,8b,62,0c,50,0e,bd [..] The above data is split into two data sets, where both are XOR’d and contain configuration and web injects. In the configuration step, we have observed various features that Dridex uses: http shots form-grabber, httpinjblock, http block, click shots httpinjects, etc. For example, the “http shots” is activated by visiting the following URI: https://www \ .bankline \. (NatWest \ .com | rbs \ .com | ulsterbank \. (ie | co \ .uk)) / From analyzing the configuration and communication with C&C super nodes, we can see that this campaign is marked with BOTid: 120. There are numerous other targets and many sub-functions that make Dridex a dangerous infection for most businesses and individual users with access to online banking.

What is Dridex?

According to Webopedia:

Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user. Dridex is an evolution of the Cridex malware, which itself is based on the ZeuS Trojan Horse malware. According to security firm Trustwave, the Dridex banking malware initially spread in late 2014 via a spam campaign that generated upwards of 15,000 emails each day. The attacks primarily focused on systems located in the United Kingdom.

UPDATE [August 20 2015]: A few days ago, the group behind the Dridex botnet launched several spam “spray & pray” campaigns against arbitrary email addresses. The unsolicited email arrives with the following contents: From: [spoofed / fake return address] Subject Line: Notification [random numbers and letters] Attached: 72O99GWS9.doc The attached document contains macros, which, if activated by an unsuspecting user when received, will enable the payload. The payload will connect to the following URLs from which it will download Dridex (sanitized by Heimdal Security): http://www.glamourstylistas [.] com / administrator / components / com_joomlaupdate / 777763172631572.txt http://www.glamourstylistas [.] com / administrator / components / com_joomlaupdate / rara.txt -> https://www.dropbox [.] Com / s / 7elbruw7mwn8oj4 / sfa3xaf.exe? Dl = 1 It’s important not to forget that Dridex is a sophisticated infostealer that systematically harvests data from infected machines. The compromised machines are then bound into a P2P based botnet, where they continue to transmit the collected data. Anti-virus detection for this campaign is low.

UPDATE [October 2 2015]: Dridex is active again

After about one month of downtime, the gang behind Dridex (the notoriously refined banking malware) resumed its operations with a new spam campaign which was launched yesterday, late at night. The unwanted e-mail arrives with an attached document that, once opened and its contents clicked by a careless recipient, will drop Dridex onto the machine. The spam e-mail is delivered with the following contents: From: [spoofed / fake return address] Subject Line: Please print Contents: [pretends to come from an English company named “Ucblinds”]. Attached: Order-SO00653333-1.doc If the attached document is opened and the content is activated, Dridex will become active in memory and it will connect to the following domains from which the main component of the infection will be downloaded and run (sanitized by Heimdal Security): http://hobby-hangar [.] net / 123 / 1111.exe http://miastolomza [.] pl / 123 / 1111.exe http://www.ifdcsanluis [.] edu.ar/123/1111.exe http://www.norlabs [.] de / 123 / 1111.exe http://www.schmidks [.] de / 123 / 1111.exe http://zahnrad-ruger [.] de / 123 / 1111.exe The main component binds the machine into a botnet, but it also captures and delivers various sensitive information to the malicious server. The active C & C and MITM servers are reproduced below and can serve as the Indicators of Compromise (sanitized by Heimdal Security): 195.251 [.] 250.37: 444 195.251 [.] 250.37: 444 136.243 [.] 237 218: 443 136.243 [.] 237 218: 443 66,171 [.] 247 166: 443 88,151 [.] 246.80: 443 66,171 [.] 247 166: 443 https://136.243 [.] 237 218 / https://82.118.24 [.] 167: 4483 / https://85.214.196 [.] 227: 4483 / orderability From the configuration file, it is clear that, in the case of BOTid # 220, the attack’s primary target is the UK. Antivirus detection is still unsatisfactory: 21/56 on VirusTotal. dridex active against october 2015 Click here for the full VirusTotal page detection rates at the moment when the campaign was discovered.

UPDATE [October 8 2015]: New spam campaign drops Dridex

Heimdal Security has collected data regarding a recent “spray & pray” spam campaign. Victims are lured to click because of the subject line which indicated that a scanned document is attached. The attachment is a XLS file with macros, which, if activated, will download Dridex from multiple servers and infect the victim’s PC. The unwanted e-mail arrives with the following contents: From: [spoofed / forged sender] Subject Line: Scanned document from the MX-2600N Contents: Device Name: Not Set Device Model: MX-2600N Location: Not Set File Format: XLS MMR (G4) Resolution: 200dpi x 200dpi Attached: xerox @ [% domain of the receiver%]. tld_20151007_160214.xls If the attachment is opened and the receiver activates the included macros, the machine will connect to the following malicious URLs to download Dridex from a cyber criminal controlled server (sanitized by Heimdal Security): http://tyleos [.] com / fw43t2d / 98kj6.exe http://frozenfoods2004 [.] com / fw43t2d / 98kj6.exe http://alarmtechcentral [.] com / fw43t2d / 98kj6.exe http://performatic [.] xf.cz/fw43t2d/98kj6.exe http://boda-link [.] com / fw43t2d / 98kj6.exe The binary code reveals that the Dridex code is part of Dridex botnet # 220: 220 </ botnet> 196 710 </ version> Command and control servers: 198.61.187 [.] 234: 4483 84246226 [.] 211: 448 92.51.129 [.] 33: 4483 Peers: 113.53.234 [.] 218: 448 134184.39 [.] 171: 443 136243237 [.] 218: 443 66171247 [.] 166: 448 83101.5 [.] 105: 444 88151246 [.] 80: 443 164.15.82 [.] 22: 443 164.15.86 [.] 19: 443 195251250 [.] 37: 448 37128132 [.] 96: 443 The attached malicious XLS document achieves only very limited antivirus detection, which makes the infection very effective on PCs who are not adequately protected.

Financial safety precautions

We advise online banking users to take all necessary security measures to ensure the protection of the confidential data and financial resources. Keep in mind to:

  • Use secure websites when running financial transactions
  • Never download email attachments from unknown senders
  • Set strong passwords for online banking accounts and use 2-step authentication when possible.


Read and apply the 15 Steps to Maximize your Financial Data Protection.

Dridex was first spotted in November 2014, followed by spam campaigns in March, April and May this year. An article on the evolution of Dridex was recently published on the FireEye blog.

Author Profile

Andra Zaharia

Security Evangelist

linkedin icon

As a Security Specialist at Heimdal Security, Andra has made it her mission to help users understand how cyber security works and why it’s essential for any Internet user in the world. Using her background in PR and communication, she singles out relevant subjects and extracts actionable market data and key examples to illustrate them.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo