Uncategorized

Let’s Unpack: Dridex Loader

A few people have been having problems with unpacking the initial loader for Dridex (the one dropped by the macro), so I’m going to show you an easy way to do it. One of the other problems people have, which i can’t fix, is the fact the Dridex infection chains have …

Uncategorized
1

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …

Uncategorized

What’s Happening with Necurs, Dridex, and Locky?

Around the 8th of June VICE picked up the story about Necurs’ downtime and wrote a great article including a tweet from Kevin Beaumont referencing my botnet tracker. I was contacted for comment and there’s a few things i’d have liked to add but at the time i was in …

Uncategorized

Dridex Updates Payload Distribution

Dridex spreads mainly using Office documents containing malicious macros, initially the primary stage would involve using VBA (Visual Basic for Applications) to download and execute the loader from one of multiple servers, though this had some flaws. Antivirus and Firewall vendors maintain a list of malicious URLs and IP addresses …

Uncategorized

Let’s Analyze: Dridex (Part 3)

Sorry for the longer than expected delay, occasionally the Dridex group will take the servers offline during the weekend and resume normal operations on Monday; however, it appears they decided to take an extended break as the network went offline at some point a week ago, preventing me from fetching …

Uncategorized

Let’s Analyze: Dridex (Part 2)

In the previous article we went over how to dump the names of the majority of functions dridex resolves dynamically to complicate analysis. Today we will be using some similar methods to get the other main piece of the puzzle (encrypted string). Encrypted Strings As we’ve already got a nice list …

Uncategorized
2

Let’s Analyze: Dridex (Part 1)

Due to popular request I’m starting a new reverse engineering article series which will detail how I go about analyzing various samples, instead of just presenting my findings like I normally do. Most of the posts will be centered around IDA Pro (evaluation edition should work too) with WinDbg as …