Cybersecurity researcher and Malware Hunter, JAMESWT: The link in the message points to a URL from which it downloads an exe: the malware.
Cybercrime, Dridex changes bait: it’s DHL’s turn
Technical analysis by the Malware Hunter JAMESWT
The new lure of Dridex’s malspam campaign is DHL. The .xmls attachment in the cybercrime email contacts some urls contained within to download the DLL and complete the malware infection
Dridex changes the bait for its malspam campaign: from the false invoices of companies it passes to those of DHL. In these hours there are several emails circulating on an alleged invoice, written in English and with an .xlsm document attached. This, if downloaded and opened, shows an image of the fake invoice. In reality, however, it is configured to contact some urls contained within it. This is in order to download a DLL, which completes the malware infection chain. It is a very dangerous banking Trojan that has long been the protagonist of campaigns all over the world.
The email text (thanks to Cocaman)
The fake DHL invoice
The IOCs
Xlsm MD5
155c990dfb8e9456d6b44f3c01a3699b
Dll MD5
206803daf8a8c1459c8d597e5250b993
Dll dropped from
https://seminelogistics[.com/zsjm5zv7k.jpg
https://lab2.e-century[.pl/llzdgu8.pdf
https://webpower.pdc-ind[.com/p49tb4.rar
https://thulilekhanyile[.co[.za/tdatkb8d.zip
https://safer.[com[.gt/nb5dagc5.jpg
https://2203610.projects-airnetwork.[asia/a90f1ofe.txt
https://zaaher.[com/tb6lhp2w.pdf
https://weddingcakes.buffaloonlinetest[.co[.uk/pbke90uuk.txt
https://flowpressurewashing.[com/ggc1ljvn.rar
https://raybadenergy.[com/pl4bjbk.rar
https://therightcyclingcompany.[com/nobc7tpjo.txt
https://2203610rwd.projects-airnetwork.[asia/iihpacd.jpg
https://twomissa.[com/bdodfvr1.rar
https://eddyvanijken.[nanopoint.[nl/oipl8e.gif
https://rop.technomatica.[ovh/qgmltk.zip
https://ws4polisi.pdc-ind[.com/gpce8r54.gif
https://poligrafiascali.[com/gqd0p1o.rar
https://galileedream[.hu/e82011.txt
https://ramec.[com[.au/gayrmv4m2.txt
https://rubbermounted.[com[.au/uua8c4dp.jpg
https://visualhome[.cl/yphtdaej.zip
https://adm.snpsresidential.[com/btskh3o.zip
https://push.qnotice.[com/g0tjfzqv.gif
https://nemzetiaranyintezet.[com/hookt7ndw.txt
https://tensopret.[com/cmgvr3.rar
https://count.mail.[163.[com[.impactmedfoundation.[com/fn58ds.pdf
https://igniter.fobbly.[net/a50po6.pdf
Related Posts
