Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Published on July 8, 2016 12:35 UTC by GovCERT.ch (permalink)
Last updated on July 8, 2016 11:59 UTC
In the past weeks, we have seen a rise of malicious Microsoft office documents that are being spammed out to Swiss internet users with the aim to infect them with a malicious software (malware) called Dridex.
Dridex is an ebanking Trojan which is already around for some time now. The attackers are operating various botnets with Dridex infected computers. While most of these botnets do have a strong focus on financial institutions from abroad (such as US or UK), one particular botnet is also targeting financial institutions in Switzerland.
These days, Dridex is being distributed via malicious Microsoft office files, for example Word documents (.docx). The attackers have weaponized these documents with a malicious macro. The purpose of this macro is to download additional code (in this case Dridex) from a compromised website, once the office document is being opened and the macro executed. Unless most of the spam campaigns that are hitting our spam traps these days, the spam campaigns that are distributing Dridex do not originate from a spam botnet, but rather from compromised email accounts. Therefore the attackers manage to bypass many spam filters and hence ensure that the email gets delivered to the recipient.
The Dridex spam campaign we have seen yesterday has been sent from compromised t-online.de email accounts, but also from other email service providers:
Received: from mailout09.t-online.de (mailout09.t-online.de [184.108.40.206])
(using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN
"mailout00.t-online.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) by
X (Y) with ESMTPS id X for ; Thu, 7 Jul 2016 X
Received: from fwd10.aul.t-online.de (fwd10.aul.t-online.de [172.20.26.152])
by mailout09.t-online.de (Postfix) with SMTP id X for ; Thu, 7 Jul 2016 X
Received: from [127.0.0.1] (Z@[220.127.116.11]) by fwd10.t-online.de with TLSv1:DHE-RSA-AES256-SHA encrypted) esmtp id X; Thu, 7 Jul 2016 X
Date: Thu, 7 Jul 2016 X
Subject: firstname.lastname ; Aufforderung zur Bezahlung von Rechnung #EU932451 von X
If we can trust the email header, the email has been sent through t-online by a broadband IP address in Russia (18.104.22.168 - OJSC Rostelecom, Russia). The email subject varies:
emailaddress: Offene Rechnung ist verfügbar (# )
emailaddress, Offene Faktur ist überfällig (# 17285838)
emailaddress, Offene Warenrechnung ist überfällig (ID 09608490)
emailaddress - Aufforderung zur Begleichung von Rechnung #J007631 von XYZ
emailaddress - Aufforderung zur Begleichung von Ausgangsrechnung #EU985390 von XYZ
emailaddress : Aufforderung zur Bezahlung von Rechnung #W738296 von XYZ
emailaddress - info, Die Fälligkeit Ihrer Rechnung 1879590 für XYZ
emailaddress partner: Ihre Abrechnung ist überfällig (# 15238847)
The spam email look like this, but may vary:
The attachment name varies and depends on the name of the recipient. Once the malicious office document is opened and the macros executed, Dridex payload will be downloaded from a compromised website.
To prevent becoming a victim of Dridex or other malware that is being distributed via malicious office documents, we recommend the following actions:
For private users:
.bat (Batch file)
.exe (Windows executable)
.cpl (Control Panel)
.com (COM file)
.pif (Program Information File)
.vbs (Visual Basic Script)
.ps1 (Windows PowerShell)
Dridex payload delivery URLs (fetched by the malicious documents that are being spammed out):
Dridex payload (malware samples):
winword.dat (MD5 2eaf243bad4b1c22089e7654524f0e5a)
office.bin (MD5 66e9ff85c9361127cd4b873d48008c9b)
Initial Dridex botnet C&C nodes (compromised servers):
Additional Dridex botnet C&C nodes (compromised servers) - via Dridex configuration file:
Dridex redirect / webinject server (compromised server):
Back to top