Fake SpaceX Starbase Invite Excel document found distributing Dridex

The SonicWall Capture Labs Threat Research Team has observed that a fake Space Starbase Invite is being circulated over email with a malicious excel document as an attachment. On opening the attachment, it will execute VBA macro code to infect the system with Dridex malware.

Infection Cycle

Upon opening the attachment, the user is displayed instructions to enable content as shown below:

Fig-1: Excel File

The malicious excel file has obfuscated macro and a workbook_open method, which gets executed upon opening the document. The VBA Macro drops an XSL file into %appdata%\<random>.xsl. The dropped XSL is then executed by passing it as an argument to WMIC (Windows Management Instrumentation Command-line utility).

Fig-2: VBA Macro creating XSL file

XSL file

XSL files are style sheets to process data in XLM files which also supports script embedding and execution. This old technique has been assigned Mitre ATT &CK ID: T1220.

The XSL file contains JScript code to download and execute the payload. The payload takes "validateLog" as an argument as shown below:

Fig-3: Contents of XSL file

SonicWall Capture ATP protects against this threat as shown below:

Fig-4: Capture ATP report

Indicators of Compromise

SHA256 of malicious excel files:

21bf810cf015e8ffec9b844632a94274d9d387ad528e7d75adf116acea5a4d4b
2355f05bca712ce31b1fef911395862eb34e73db7a3ca0a6bee2664024e47518
376dad0f953db87ebfa71edb5173d4d8226c242d257a40cc9359f4d53b850aff
466e4c5fe6b3c05ff34e487a0ba0910c1dc53b1c41ef1c27a779379bd2c9534d
4d8ae33f7f5e41d9b3c3109daf043f5a803c639a68a697838bdcd17135c03730
55a258190c8461b2aec9e698edb85297f2c850de44e6659529b00a0af7c98fe6
a5bc04a9b80ebb1b62367b8fec7463da3b0d096bc99c798f7ecf1f048580729c
af686418e437e9dca34e08381e3dc8e5f3aa06a458e610d9095ce2eb0a00ebc4
c83e3d04d0807dbb1144f776ab144e9b85c94b0c0e8ca05f78664e6e46f621cd
ee3755902532f4636d3a8a86de2f9bc13ae235a9220f97a8862d82bc52599066

Network Connections:

https://new[.]bombill[.]com/B2B/js/public_html/new[.]bombill[.]com/kML98YVm1[.]php
https://mishpachton[.]club/wp-content/uploads/2020/01/sULnmh1mel6Ha[.]php
https://hotelmarissa[.]ro/hms/highslide/graphics/outlines/aKBRsNGhkJnFy[.]php
https://lekkievents[.]com/RcjJztqmB3CJ[.]php
https://slasinfo[.]com/wp-content/plugins/better-wp-security/core/Z3w9lRfmiUeqn[.]php
https://turktech[.]co[.]uk/wp-content/uploads/2020/01/XBKtCe6h[.]php
https://marcosindiagroup[.]com/wp-content/uploads/elementor/css/Y1KA13a0oHq0vv[.]php
https://drakarys[.]rs/img/icons/tabs/xTPpiyC3[.]php
https://jettyplus[.]com/wp-includes/sodium_compat/namespaced/Core/n95mTqnEYm2lEqF[.]php
https://desertkingresort[.]com/wp-includes/js/mediaelement/renderers/Qh3RRz2g[.]php
https://elivebox[.]net/school/bower_components/chosen/docsupport/7Il9rC5wQ[.]php
https://eletronicaeduardo[.]com[.]br/www3/sistema/application/config/ANBPUKvb49gQn[.]php
https://mail[.]beetleorchid[.]in//i07uqfyKKQ3jUN8[.]php
https://nationalngofederation[.]com/wp-includes/SimplePie/Decode/HTML/CQiRG6YtYGt[.]php
https://leer-afrikaans[.]co[.]za/5TdZj0lfsvo[.]php
https://mail[.]account[.]inventorybiz[.]com//X70ySsjm2[.]php
https://elkytoursandtravel[.]com/wp-includes/SimplePie/Decode/HTML/i06d5d4XcypWc[.]php
https://drlamyas[.]net/wp-content/plugins/LayerSlider/classes/gt45kDacR6[.]php
https://one2onematch[.]net/back_up/under/fonts/Montserrat/kDCn9x8aeY8jz[.]php
https://centrodetraduccionespuce[.]com/intranet_old/css/vendor/square/risWzMrGzRtO4bS[.]php
https://askcon[.]net/wp-includes/SimplePie/Content/Type/0lOzUuHLScUH[.]php
https://crm[.]sgdatapos[.]com/modules/goals/language/bulgarian/vdOwNUr2yXh[.]php
https://lweonepal[.]com/wp-content/cache/object/013/bFPs28xfQyOe[.]php
https://triplonet[.]com[.]br/__MACOSX/wp-includes/js/codemirror/3Uqzx5RTyl8pT[.]php
https://casagrandecontabil[.]com[.]br/vo/vfm-admin/images/avatars/1Wu2EdUfRb3q7Zu[.]php
https://ppdb[.]smp1sbw[.]sch[.]id/ro-plugins/ckeditor/skins/moono-lisa/767884gnQIu[.]php
https://blog[.]garantitorna[.]com/wp-includes/css/dist/block-directory/j9nCiyCAcJQDh3[.]php
https://dikan[.]co[.]za/wsz2SCI6sU6k6o[.]php
https://elearn[.]empoweredmw[.]com/lib/minify/matthiasmullie-minify/data/WD3Uawo4EEZ[.]php
https://equiposautomotriz[.]com/wp-includes/Requests/Exception/HTTP/U997eIiQSqs3[.]php
https://familystory[.]es/wp-content/uploads/2021/01/InOm7e9u4vMmW[.]php
https://fortgem[.]co[.]uk/wp-includes/css/dist/block-directory/Pk57G2yz[.]php
https://sproca[.]tg/wp-content/themes/agronomics-lite/css/nj6N9LQhADNC[.]php
https://tarifacabins[.]com/wp-includes/js/mediaelement/renderers/KcsChOSuEV[.]php
https://gesky[.]co[.]tz/wp-includes/sodium_compat/namespaced/Core/HMJi1PQC[.]php
https://birkett[.]com[.]au/include/Base/Modules/Filter/KZyRSXJtoC[.]php
https://dentaldesignstudiowi[.]com/wp-content/uploads/2021/01/9eFsntMZ[.]php

SHA256 of Dridex payload:

a095a0ec3cd1655bbabad3f3b2e996521444c93dc51f1e78af878bfef3fd3ca8
c190c5a25b2616a4a0c4965d5f83cc47e47f2d2e4d2cab2c8987dcc29db290a3

Dropped Files:

%appdata%\<random>.xsl
C:\windows\Temp\<random>.dll

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.