AutoIT-compiled malware and Dridex trace their roots to as far back as 2008 and 2014, respectively. As malware variants go, therefore, they’ve both had a long history and taken on various forms over time. But despite having been detected and consequently blocked with each new version, they’re still alive and kicking—a testament to their persistence.

The SANS Internet Storm Center (ISC) recently reported seeing an AutoIT-compiled malware stealing information from Microsoft Outlook and Chrome. Dridex, meanwhile, resurfaced with a new entry tactic to target macOS users, according to Trend Micro. While we may not see the end of these tried-and-tested malware yet, we can attempt to mitigate the nasty repercussions they can bring with the early threat detection of suspicious Internet properties.

Armed with exhaustive WHOIS, IP, and DNS intelligence, WhoisXML API researchers expanded the lists of indicators of compromise (IoCs) identified for both threats to help users mitigate risks. Our analysis of three domains (AutoIT IoCs) and one URL (Dridex IoC) uncovered:

• Three IP addresses the AutoIT domains identified as IoCs resolved to
• 329 domains that shared the AutoIT domains’ IP hosts, nine of which were deemed malicious
• 154 domains that contained the strings publicpress and moscowkov like the AutoIT IoCs
• An unredacted email address in the Dridex domain’s historical WHOIS records
• 488 domains that shared the Dridex domain’s registrant email address, two of which were considered malicious
• One IP address the Dridex domains resolved to
• 300 domains that shared the Dridex domain’s IP host, one of which was tagged as malicious
• 638 domains that contained the strings pr-clanky and kvalitne like the Dridex IoC

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the AutoIT-Compiled Malware IoCs

We used the three domains SANS ISC published as IoCs—publicpressmagazine[.]com, moscowkov[.]xyz, and moscowkov[.]at—for our expansion analysis for the newly discovered AutoIT-compiled malware.

First, we subjected the domains to DNS lookups, which led to the discovery of three unique IP addresses—172[.]67[.]137[.]212, 104[.]21[.]81[.]36, and 85[.]209[.]135[.]159. The first two were shared IP hosts while the last one was private. Two of the IP addresses were geolocated in the U.S. while the last one traced back to the Netherlands.

Reverse IP/DNS lookups for these IP hosts allowed us to uncover 329 possibly connected domains, 3% of which turned out to be malicious. While a majority of the malicious properties were unreachable at the time of writing, the following pages—a live auto insurance site, another that’s up for sale, and an index page—may serve as malware hosts or suffer from reputation damages due to unintended links to potentially dangerous IP addresses.

Next, we used two text strings—publicpress and moscowkov—seen among the IoCs as Domains & Subdomains Discovery search terms to find more potentially connected artifacts. That gave us 154 additional domains. While none of them are currently being detected as malicious, their resemblance to the AutoIT IoCs may make them attractive potential threat vectors for the cyber attackers’ consideration.

A Deep Dive into the New Dridex Attack

Our investigation of the latest Dridex attack jumped off a URL—http://pr-clanky[.]kvalitne[.]cz/65y3fd23d/87i4g3d2d2[.]exe—identified as an IoC.

We stripped the URL down to pr-clanky[.]kvalitne[.]cz for further analysis. A historical WHOIS search for the domain name kvalitne[.]cz revealed an unredacted email address—info@webzdarma[.]cz—that we used to look for other likely connected domains. We found 488 domains, two of which—prodejce[.]cz and web2001[.]cz—were dubbed malicious.

Based on a DNS lookup, the Internet property resolved to the IP address 185[.]64[.]219[.]6, which it shared with 300 other domains, one of which—11235813[.]webzdarma[.]cz—turned out to be malicious. Note its domain’s similarity with that of the unredacted email address our historical WHOIS search found. Given that the unredacted email address was used in 2017, the actors behind the old and this latest Dridex attack could be one and the same.

To gather other possible artifacts, we used two strings—pr-clanky and kvalitne—found in the IoC’s domain as Domains & Subdomains Discovery search terms. That led to the discovery of 638 other domains. While none of them are currently being detected as malicious, their resemblance to the IoC may tempt the threat actors behind the recent Dridex attack to use them as future malware hosts.

Early threat detection and blocking potential attack vector access to your network is an effective means to protect against malware even those as persistent as AutoIT-compiled malware and Dridex. The identification and consequent monitoring of all possible malware entry points via an IoC list expansion can help with this process. Our in-depth investigations, for instance, added 1,425 artifacts, including 12 malicious domains, to SANS ISC’s and Trend Micro’s initial lists.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.