This is a guest diary submitted by Brad Duncan.
During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, well examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware.
Various people have posted about Dridex [1] [2], and some sites like Dynamoos blog [3] and TechHelpList [4] often report on these and other phishing campaigns.
Lets take a closer look at one of the November phishing waves.
On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line." />
After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled." />
Shown above: events from Sguil in Security Onion.
File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block.">Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at">http://www.malware-traffic-analysis.net
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.