erlottery.blogg.se

The Dridex installer retrieves 64-bit Dridex DLL files over encrypted command and control (C2) network traffic.

The initial file retrieves a Dridex installer, although sometimes the initial file is itself a Dridex installer. Either way, potential victims need to click their way to an infection from this initial file. The initial malicious file can be a Microsoft Office document with a malicious macro, or it could be a Windows executable (EXE) disguised as some sort of document.

From October 2020, QuickBooks-themed malspam pushing Dridex using a link. From September 2020, FedEx-themed malspam pushing Dridex using a link. From October 2020, UPS-themed malspam pushing Dridex using an attachment. From September 2020, DHL-themed malspam pushing Dridex using an attachment. Figures 1 through 4 show some recent examples. Some emails delivering Dridex contain Microsoft Office documents attached, while other emails contain links to download a malicious file. Waves of this malspam usually occur at least two or three times a week. Dridex is commonly distributed through malicious spam (malspam). To understand Dridex network traffic, you should understand the chain of events leading to an infection. We recommend you review this pcap in a non-Windows environment like BSD, Linux or macOS if at all possible. There is a risk of infection if using a Windows computer. Warning: Some of the pcaps used for this tutorial contain Windows-based malware.

You will need to access a GitHub repository with ZIP archives containing pcaps used for this tutorial. Note: Our instructions assume you have customized Wireshark as described in our previous Wireshark tutorial about customizing the column display. Today’s Wireshark tutorial reviews Dridex activity and provides some helpful tips on identifying this family based on traffic analysis. This malware first appeared in 2014 and has been active ever since. Familiarity with Wireshark is necessary to understand this tutorial, which focuses on Wireshark version 3.x.ĭridex is the name for a family of information-stealing malware that has also been described as a banking Trojan. This tutorial is designed for security professionals who investigate suspicious network activity and review network packet captures (pcaps).