[benkow_]

Does anyone get recently Dridex sample?

Sample of the day attached
https://www.virustotal.com/fr/file/dc3c ... /analysis/

<botnet>120</botnet>
<server_list>
104.131.59.185:243
1.179.170.7:4493
78.47.119.93:666
80.96.150.201:9943
</server_list>

grabbed via hXXp://37.46.130.53/jasmin/authentication.php

Just for information, they make little change in the spreading proxy stuff. /tmp/.estbuild has moved to /tmp/.kerneltmp.
They reuse always the same compromise host (like hxxp://195.37.231.2 for example)
Proxy conf example for 195.37.231.2:

Code: Select all

worker_processes                  2;

error_log                         /dev/null;
pid                               /tmp/.kerneltmp/nginx.pid;

events {
    worker_connections            4096;
#    use                           epoll;    
}

http {
    access_log			  /dev/null;
    client_max_body_size        	   200m;
    chunked_transfer_encoding off;

    server {
        listen                    4493;
	location /m348-2hdk-cb2 {
		information;
	}
        ssl on; ssl_certificate /tmp/.kerneltmp/certs/server.crt; ssl_certificate_key /tmp/.kerneltmp/certs/server.key;
        
        location / {
		proxy_pass                 http://62.76.42.222:880;
		proxy_redirect             off;
		proxy_set_header           Host             $host;
		proxy_set_header           X-Forwarded-For  $remote_addr;
		proxy_set_header           X-Real-IP        $remote_addr;
		proxy_connect_timeout      180;
		proxy_send_timeout         180;
		proxy_read_timeout         180;
		proxy_buffer_size          4k;
		proxy_buffers              4 32k;
		proxy_busy_buffers_size    64k;
		proxy_temp_file_write_size 64k;
		proxy_temp_path            /tmp/.kerneltmp/tmp/;
	}
   }
}

[tim]

Botnet 120/121 spread new sample.
Conf obfuscation seems to have change. No more .sdata section
hXXp://91.203.5.169/jeremy/clarkson.php
hXXp://92.63.101.229/jeremy/clarkson.php
hxxp://91.223.88.50/jeremy/clarkson.php

94.73.155.11:2448
115.249.247.26:4538
87.106.101.55:4538

attached

Any idea how they are storing the config now?

Strings obfuscation is the same from what i can tell.

[kaze0]

For the stage 1, config is now stored in binary format inside .data section. The format is quite simple: IP (4bytes) followed by port(2bytes)
To locate the binary config, look for the function responsible for address extraction:
.
See the movzx part ? here you go.
Right before these adresses you also have the botnetid and the number of addresses inside config, also binary encoded.

[keoni161]

New Dridex Sample
http://house.nochildforgotten.org/michigan/map.php

BOTNET ID: 122

188.93.239.28:4843
38.64.199.33:4843
85.17.155.148:1234
Exe sample and unpacked in the attachment

[geoffreyvdb]

New Dridex Sample
http://house.nochildforgotten.org/michigan/map.php

BOTNET ID: 122

188.93.239.28:4843
38.64.199.33:4843
85.17.155.148:1234
Exe sample and unpacked in the attachment

How did you unpack this?

[ikolor]

Why light in toilet ' Xylitol' see better my butt.

next ..
https://www.virustotal.com/en/file/b810 ... 459964535/

[benkow_]

crypted122med.exe -> Dridex #122

[keoni161]

@geoffreyvdb
BP on VirtualAlloc and follow to user code with HBP on the memory location until you find the MZ header then dump the content.

[EP_X0FF]

Just for fun, masterpiece PDF "covering" Dridex technique.

https://conference.hitb.org/hitbsecconf ... gation.pdf

Highlight of only interesting part.


I don't know what quality of the rest of this "article" - I stopped reading after saw this. But I have a bad feelings for the rest too.

Specially for this "experts" I remember that Dridex was using Gootkit adapted method (which was stolen by MZh from here https://www.blackhat.com/docs/eu-15/mat ... ims-wp.pdf, and partially from sdb-explorer utility on github). Never was vulnerability never was any AppCompat whitelist. Just a documented shim and autoelevated sdbinst.

[tim]

Anyone got a recent sample?