Monday, June 8, 2015

Indicators - Dridex

I have been seeing a large amount of emails containing malicious Microsoft Word macro-enabled documents attached. These documents, once the macro has been allowed to run by the user, will download and run an executable file to infect the machine. Below are several indicators that I have seen so far, and I have even created a Wireshark/regex filter that will help you find these files in a PCAP file.

Threat Name: Dridex

File Download Locations:
These files may no longer be active, but please use caution when downloading as they are malicious.

File Names:
The file names are numerical and 1 through 3 digits long.


IP Connections:
The malware will attempt to make CONNECT requests to the below IP addresses and ports.

Regex Query:
The following regex query should find the HTTP URI and file name of the executable file. Since the directory and file names are pretty consistent in the fact that they have been numerical values so far, it should be pretty easy to locate in your logs.
  • \/[1-9]{1,3}\/[0-9]{1,3}\.exe
The following Wireshark display filter (using regex) should also work:
  • http.request.uri matches "\/[1-9]{1,3}\/[0-9]{1,3}\.exe"
You should see similar information below in the Info column in Wireshark when you run the above query:

I am sure that I will be adding more indicators for this malware soon as it has been pretty prevalent over the past few weeks. Thanks for reading.

No comments:

Post a Comment

Please feel free to leave a comment that is relevant to the post.