![]() Certificates contain a website's public key and confirm the website's identity.ĭifferent certificate authorities (CAs) can issue digital certificates for various websites. Data from this digital certificate is used to establish an HTTPS connection. When viewing a website using HTTPS, a certificate is sent by the web server to a client's web browser. To understand Dridex infection activity, we should also understand digital certificates used for HTTPS traffic.Ī digital certificate is used for SSL/TLS encryption of HTTPS traffic. Fortunately, post-infection traffic caused by Dridex C2 activity is distinctive enough to identify. Figure 7: Chain of events seen in September 2020 where the link led to a Dridex installer EXE.Īs noted in Figures 5 through 7, distribution traffic is most often HTTPS, which makes the initial file or Dridex installer hard to detect because it is encrypted. Instead, they returned a Windows executable file. 24, 2020, links from malspam pushing Dridex didn’t return an Office document. Chain of events commonly seen when Dridex is distributed using links in malspam.įigure 7 shows another type of Dridex infection chain from malspam, which is not as common as the Office documents used in Figures 5 and 6. Chain of events commonly seen when Dridex is distributed as malspam attachments. Figures 5 and 6 show what we commonly see for infection chains of recent Dridex activity. The Dridex installer retrieves 64-bit Dridex DLL files over encrypted command and control (C2) network traffic. The initial file retrieves a Dridex installer, although sometimes the initial file is itself a Dridex installer. Either way, potential victims need to click their way to an infection from this initial file. The initial malicious file can be a Microsoft Office document with a malicious macro, or it could be a Windows executable (EXE) disguised as some sort of document. From October 2020, QuickBooks-themed malspam pushing Dridex using a link. From September 2020, FedEx-themed malspam pushing Dridex using a link. From October 2020, UPS-themed malspam pushing Dridex using an attachment. ![]() From September 2020, DHL-themed malspam pushing Dridex using an attachment. ![]() Figures 1 through 4 show some recent examples. Some emails delivering Dridex contain Microsoft Office documents attached, while other emails contain links to download a malicious file. Waves of this malspam usually occur at least two or three times a week. Dridex is commonly distributed through malicious spam (malspam). ![]() To understand Dridex network traffic, you should understand the chain of events leading to an infection. We recommend you review this pcap in a non-Windows environment like BSD, Linux or macOS if at all possible. There is a risk of infection if using a Windows computer. ![]() Warning: Some of the pcaps used for this tutorial contain Windows-based malware. You will need to access a GitHub repository with ZIP archives containing pcaps used for this tutorial. Note: Our instructions assume you have customized Wireshark as described in our previous Wireshark tutorial about customizing the column display. Today’s Wireshark tutorial reviews Dridex activity and provides some helpful tips on identifying this family based on traffic analysis. This malware first appeared in 2014 and has been active ever since. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x.ĭridex is the name for a family of information-stealing malware that has also been described as a banking Trojan. Running on Mac OS X 10.16, build 21G115 (Darwin 21.6.0), with Intel(R) Core(TM) i7-9750H CPU 2.60GHz (with SSE4.2), with 16384 MB of physical memory, with GLib 2.68.4, with PCRE2 10.39, with zlib 1.2.11, with Qt 6.2.4, with libpcap 1.9.1, with c-ares 1.15.0, with GnuTLS 3.6.15, with Gcrypt 1.8.7, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.2, with Zstandard 1.4.2, with libsmi 0.4.8, with dark display mode, with mixed DPI, with LC_TYPE=C, binary plugins supported.This tutorial is designed for security professionals who investigate suspicious network activity and review network packet captures (pcaps). Compiled (64-bit) using Clang 11.0.0 (clang-1100.0.33.16), with GLib 2.68.4, with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi 0.4.8, with QtMultimedia, with automatic updates using Sparkle, with SpeexDSP (using system library), with Minizip, with binary plugins. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |