Goal: Reverse and document the latest Dridex banking malware campaign related to botnet ID “23005.”
“Please DocuSign the attached Business Activity Statements” #malspam campaign #blacktds dropping #dridexhttps://t.co/b5eba2ibNp pic.twitter.com/7y5fxrq0Uk
— James (@James_inthe_box) March 29, 2018
Thanks to @James_inthe_box, I decided to quickly analyze and document the Dridex botnet ID “23005” spam infection chain leading from the spam campaign impersonating DocuSign. The observed subject of the Dridex campaign was “Please DocuSign the attached Business Activity Statements.”
Malware Spam Chain:
I. Spam Microsoft Word Macro Document
II. CMD/PowerShell Execution & Download to %TMP%\jjkv.exe & %TMP%\gwzoxu.bat.
The Dridex payloads were staged by the operators on March 29 14:12 GMT.
III. Batch Script Binary Execution
V. Addendum: Indicators of Compromise (IOCs):
- “Please DocuSign the attached Business Activity Statements”
Malicious Word loader (MD5):
Dridex “23005” binary (MD5):
- MD5: 88ce6c0affcdbdc82abe53957dddfa12