|
AutoIT-compiled malware and Dridex trace their roots to as far back as 2008 and 2014, respectively. As malware variants go, therefore, they’ve both had a long history and taken on various forms over time. But despite having been detected and consequently blocked with each new version, they’re still alive and kicking—a testament to their persistence.
The SANS Internet Storm Center (ISC) recently reported seeing an AutoIT-compiled malware stealing information from Microsoft Outlook and Chrome. Dridex, meanwhile, resurfaced with a new entry tactic to target macOS users, according to Trend Micro. While we may not see the end of these tried-and-tested malware yet, we can attempt to mitigate the nasty repercussions they can bring with the early threat detection of suspicious Internet properties.
Armed with exhaustive WHOIS, IP, and DNS intelligence, WhoisXML API researchers expanded the lists of indicators of compromise (IoCs) identified for both threats to help users mitigate risks. Our analysis of three domains (AutoIT IoCs) and one URL (Dridex IoC) uncovered:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We used the three domains SANS ISC published as IoCs—publicpressmagazine[.]com, moscowkov[.]xyz, and moscowkov[.]at—for our expansion analysis for the newly discovered AutoIT-compiled malware.
First, we subjected the domains to DNS lookups, which led to the discovery of three unique IP addresses—172[.]67[.]137[.]212, 104[.]21[.]81[.]36, and 85[.]209[.]135[.]159. The first two were shared IP hosts while the last one was private. Two of the IP addresses were geolocated in the U.S. while the last one traced back to the Netherlands.
Reverse IP/DNS lookups for these IP hosts allowed us to uncover 329 possibly connected domains, 3% of which turned out to be malicious. While a majority of the malicious properties were unreachable at the time of writing, the following pages—a live auto insurance site, another that’s up for sale, and an index page—may serve as malware hosts or suffer from reputation damages due to unintended links to potentially dangerous IP addresses.
Next, we used two text strings—publicpress and moscowkov—seen among the IoCs as Domains & Subdomains Discovery search terms to find more potentially connected artifacts. That gave us 154 additional domains. While none of them are currently being detected as malicious, their resemblance to the AutoIT IoCs may make them attractive potential threat vectors for the cyber attackers’ consideration.
Our investigation of the latest Dridex attack jumped off a URL—http://pr-clanky[.]kvalitne[.]cz/65y3fd23d/87i4g3d2d2[.]exe—identified as an IoC.
We stripped the URL down to pr-clanky[.]kvalitne[.]cz for further analysis. A historical WHOIS search for the domain name kvalitne[.]cz revealed an unredacted email address—info@webzdarma[.]cz—that we used to look for other likely connected domains. We found 488 domains, two of which—prodejce[.]cz and web2001[.]cz—were dubbed malicious.
Based on a DNS lookup, the Internet property resolved to the IP address 185[.]64[.]219[.]6, which it shared with 300 other domains, one of which—11235813[.]webzdarma[.]cz—turned out to be malicious. Note its domain’s similarity with that of the unredacted email address our historical WHOIS search found. Given that the unredacted email address was used in 2017, the actors behind the old and this latest Dridex attack could be one and the same.
To gather other possible artifacts, we used two strings—pr-clanky and kvalitne—found in the IoC’s domain as Domains & Subdomains Discovery search terms. That led to the discovery of 638 other domains. While none of them are currently being detected as malicious, their resemblance to the IoC may tempt the threat actors behind the recent Dridex attack to use them as future malware hosts.
Early threat detection and blocking potential attack vector access to your network is an effective means to protect against malware even those as persistent as AutoIT-compiled malware and Dridex. The identification and consequent monitoring of all possible malware entry points via an IoC list expansion can help with this process. Our in-depth investigations, for instance, added 1,425 artifacts, including 12 malicious domains, to SANS ISC’s and Trend Micro’s initial lists.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC