HackDig : Dig high-quality web security articles

Dridex Redirecting to Malicious Dropbox Hosted File Via Google, (Tue, Apr 21st)

2015-04-21 22:30

Thanks to Wayne for sending us in the latest Dridex sample. He observed them arriving this morning around 8am ET. According to Wayne, this malware may use Google Analytics to count how many people opened the file, but I havent confirmed that. Google redirects are however used to obscure the destination.

Checking my own inbox, I found a couple of the messages in my spam folder. Here is an example I received:

The link is kind of interesting. It leads to Google, but Google will redirect you to the malicious file which is hosted on dropbox. At least the file above was still available.

The link:

hxxps://www.google.com/url? q=https://www.dropbox.com/s/ 0c5we7id7mgwk89/ACH transaction0336.doc?dl=1 sa=Dsntz=1usg=AFQjCNFvX9uqV7uVjP8NWYKa4xkImgXPBA

Google will show a note that the user was redirected, but the file will download right away. It will not open, and the user will have to open it an enable the Macro to execute.

Hashes of the Word document:

MD5:f12cfa3f42784769c1542155a4f9cde8
SHA1:5a939df2692091c89b5a75db3bba990aae3b6d10

And a quick review with fellow handler Didiersoledumptool shows indeed a number of suspect macros.

$ ./oledump.py -p ./plugin_dridex.py ../ACH transaction0336.doc -e
1: 114 x01CompObj
2: 4096 x05DocumentSummaryInformation
3: 4096 x05SummaryInformation
4: 10927 1Table
5: 136110 Data
6: 666 Macros/PROJECT
7: 161 Macros/PROJECTwm
8: m 683 Macros/VBA/Module1
Plugin: Dridex decoder
9: m 683 Macros/VBA/Module2
Plugin: Dridex decoder
10: M 3592 Macros/VBA/Module3
Plugin: Dridex decoder
11: m 683 Macros/VBA/Module4
Plugin: Dridex decoder
12: M 2526 Macros/VBA/Module5
Plugin: Dridex decoder
13: M 10321 Macros/VBA/ThisDocument
Plugin: Dridex decoder
14: 5094 Macros/VBA/_VBA_PROJECT
15: 649 Macros/VBA/dir
16: 7220 WordDocument

Virustotal only shows 4 hits out of 57 AV tools tested for this binary

https://www.virustotal.com/en/file/efd9e8d6fe04bf8b7abcdd208c7f1b2b2fabf2ae09bce9775631047455cd533b/analysis/1429631351/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Source: ssr;pma&90691=diyrots?lmth.yraid/ude.snas.csi

Read:4373 | Comments:0 | Tags:No Tag

“Dridex Redirecting to Malicious Dropbox Hosted File Via Google, (Tue, Apr 21st)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3