Attack waves Invoice Macro Word Dridex virus

by Stephane

Big Dridex attacks by sending fake DOC invoices

For more than a month now, we’ve been noticing large waves of spam messages with unpaid invoices in the subject line. The messages in question are written in correct French, with no spelling mistakes, unlike most spam, and contain a Microsoft Word DOC document as an attachment. There are also file variants in DOCX, DOCM, XLS and XML, which also contain a Macro. The notion of urgency and the title of the message encourage you to open the document. The botnet used to send this spam is : ”  Botnet 120 “. By way of example, here are a few recurring topics used (xxxxxx represents numbers) :

Invoice XXXXXXXe number: Nxxxxxx/xxxxxx
DUPLICATE INVOICE xxxxxx/xxxxxx
EXPIRED BILLS xxxxxx/xxxxxx
BILL RELAY xxxxxx/xxxxxx
Invoice xxxxxx/xxxxxx
Your invoice xxxxxx/xxxxxx

 

Strangely enough, some sending domain names are used more than others in these campaigns. The domains: airtelbroadband.in and ttnet.com.tr appear as sending domains in a large proportion of the emails received! Why don’t spammers use more French-speaking domains, when a major effort is being made to ensure the credibility of the campaign? It would be so easy for them to pass themselves off as users of French ISPs, for example !

Main domains sending the attack

Spam waves are also very localized in terms of distribution times, with over 85% of emails received between 10:30 and 12:00, which is certainly no coincidence.

Dridex attack spam reception times

The multi-variant (different signature) file attachment includes a VBA macro that runs when the file is opened, and contains polymorphic malicious code undetected by most antivirus programs. The attack manages to thwart signature- and reputation-based protection systems, as well as behavioral sandboxing techniques. This VisualBasic code will download the Dridex virus (or Drixed in the case of some antivirus software and Microsoft) through a succession of procedures. Depending on the version, Dridex can be downloaded either directly via the VBA macro, or more generally via a VBS script downloaded from : ” pastebin.com “, which in turn downloads and executes the malware. This script integrates several obfuscation methods, anti-disassembly techniques and sandbox detection techniques. Its main function is to decrypt and decompress a new executable, the payload, hidden in the resources of the first executable. On the other hand, the intermediary VBS uploads two images to a pirate site, enabling the Botnet 120 botmaster to be informed of the progress of his attack’s propagation before and after downloading and executing the malware.

 

Dridex has long been part of the banking malware panorama. However, the current campaign has brought it back into the spotlight, especially as very few antivirus programs are able to detect it, and a large number of people end up infected. Primarily known as a banking trojan (bank data recovery), this virus also has spyware and cryptoware functionalities. Decoding of the Dridex versions analyzed in this spam wave shows that it mainly targets French banks. In particular, it is capable of reading access codes and keylogging, despite the virtual keyboard bypasses implemented on bank websites.

The most significant attacks we recorded were on the following dates : June 30-July1, 2015, July 6-7, 2015, July 17, 2015, July 20-21, 2015 and July 23, 2015.

CERTFR alert for more details : http://www.cert.ssi.gouv.fr/site/CERTFR-2015-ACT-024/

Detailed explanation of how the  attack works: http: //christophe.rieunier.name/securite/Dridex/20150608_dropper/Dridex_dropper_analysis_fr.php

 

What should I do if my computer is hacked? 

Do not open the Word file included in the e-mail, as this file launches a macro that will automatically install the virus on your computer. If you have just opened the file in question, don’t turn off your computer, disconnect it from the Internet and contact your IT department.

How to detect the presence of the virus  

Dridex malware is detected by the presence of one of the following two registry keys :

– HKEY_USERS*SoftwareMicrosoftWindowsCurrentVersionRunwwnotify.
Please note that this key is only visible if the computer is in safe mode.

– Or by the presence of the Dridex configuration registry key, visible even outside safe mode: HKEY_USERS*SoftwareMicrosoftWindowsCurrentVersionExplorerCLSID<random digits>ShellFolder<random digits>

How do I remove the virus manually ?

– Switch to ” minimal safe mode ” by running ” msconfig “, tab ” Start “, check ” Safe start ” then option ” Minimal ” and reboot the computer,
– Delete the malicious key ” HKCUSoftwareMicrosoftWindowsCurrentVersionRunwwnotify ” and the file ” tmp ” to which it points,
– Restart in normal mode by running ” msconfig “, tab ” General “, check ” Normal startup “, then reboot.

 

How does Altospam block these attacks ?

As soon as the attack began, Altospam was able to block these emails so that our customers would not be polluted by this malware. To do this, we rely on different layers of analysis :

– 5 antivirus add-ons scan emails and attachments,
– Altospam integrates a proprietary system to protect against suspicious files : https://www.altospam.com/actualite/2014/02/la-forteresse-daltospam-les-malwares/
– In addition, specific anti-spam filters have been integrated These filters are based on various components of the e-mail, such as the presence of certain subjects specific to the attack, attachments in .doc, .xls, docx, .docm, .xml…. and its content,
– These specific rules are cross-referenced with the suspicious file detection system to increase overall efficiency,
– Our automated real-time attack tracking system enables us to monitor the effectiveness of our filters and adapt them to different alternatives.
– [MAJ dec 2015]: Altospam has integrated a new technology for automatic on-the-fly macro analysis, to complete its antivirus arsenal: reconstruction and deobfuscation  and script analysis (search for dubious elements: auto-execution, downloading, launching executables, etc.).

 

In conclusion, we at Altospam have put everything in place to block these attacks, and are also doing everything we can to be proactive in the event of variant attacks. We also advise caution : don’t open any suspicious Microsoft Word file whose sender you don’t know.

If you are a victim of this type of attack, don’t hesitate to test our free email protection service at : https://www.altospam.com/fr/test-gratuit.php. You can also contact one of our dealers and ask for our  solution: https: //www.altospam.com/fr/revendeurs.php

 

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …