MVISION Insights: Specially Crafted Excel Document Being Used to Spread Dridex Variant

Technical Articles ID: KB95155
Last Modified: 1/13/2022

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all McAfee Enterprise customers. Contact McAfee Enterprise for more information about MVISION Insights.

Summary

Description of Campaign
A phishing campaign delivering an Excel document has been identified delivering a modified version of the Dridex information stealer malware. The recipient is made to believe the Excel document is regarding "Import Tariffs" and instructed to enable macros. If successful, the document will run code contained in the document that initiates communication with the adversaries C2 server to obtain the Dridex malware, set persistence as well as receive additional modules and to exfiltrate collected data.

The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
This campaign was researched by Fortinet and shared publicly here.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats, which contains countermeasures.
Review KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	C8065BD2A1443FF988E9BA95022554F6EE302E9BCB4082C3D9B2B8D74C5A4BE5
SHA256	59C8D87A450F0647BEA930EBA1AA692B75D82DEF1358F1601C4FE9A561B4707E
SHA256	6556E4029CF50C9538F4E02D0BCCA5356F28E6870E62838E164020A31B3DF096
URL	https://assettagger.saleseos.com/Classes/PHPExcel/Shared/JAMA/examples/RLFBubHuLTnm.php
URL	https://reportingdashboard.mobilisedev.co.uk/includes/6WSSUhQrM.php
URL	https://loans.uhuruloans.com/wp-includes/sodium_compat/namespaced/Core/ChaCha20/X8av4FUl7STEot3.php
URL	https://practice.haylawdesign.com/wp-content/themes/twentynineteen/template-parts/content/jE4zYiuJ0iIw.php
URL	https://kings.inforwizztechnologies.com/wp-content/plugins/aapside-master/elementor/widgets/tfOSpcBiZpffptj.php
URL	https://pizzaplus.com.ng/wp-content/themes/twentytwentyone/template-parts/content/TZ6qTYLx7l.php
URL	https://efshub.com/PHPMailer-master/examples/images/zunuLqqNQIGJPht.php
URL	https://user.kasikoi.info/static/lib/ckeditor/skins/moono/2h80F9GORDfIB.php
URL	https://deepsource.in/ncsitebuilder/css/flag-icon-css/flags/1x1/wcToKXeb7FxQ.php
URL	https://ebanking.hentostreasury.com/account/umSqqCiyMf.php

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	10109
V3 DAT (Endpoint Security)	4565

Detection Summary

IOC	Scanner	Detection
C8065BD2A1443FF988E9BA95022554F6EE302E9BCB4082C3D9B2B8D74C5A4BE5	AVEngine V2	Exploit-CVE2017-8570.j
	AVEngine V3	Exploit-CVE2017-8570.j
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
59C8D87A450F0647BEA930EBA1AA692B75D82DEF1358F1601C4FE9A561B4707E	AVEngine V2	Exploit-CVE2017-8570.j
	AVEngine V3	Exploit-CVE2017-8570.j
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
6556E4029CF50C9538F4E02D0BCCA5356F28E6870E62838E164020A31B3DF096	AVEngine V2	Drixed-FJX!4DE82497D467
	AVEngine V3	Drixed-FJX!4DE82497D467
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Affected Products

MVISION Insights

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

MVISION Insights: Specially Crafted Excel Document Being Used to Spread Dridex Variant

Environment

Summary

Affected Products

Glossary of Technical Terms

Title

Title

Knowledge Center

MVISION Insights: Specially Crafted Excel Document Being Used to Spread Dridex Variant

Environment

Summary

Affected Products

Glossary of Technical Terms

Choose your region

Title

Title