SYMBOLCOMMON_NAMEaka. SYNONYMS
win.doppeldridex (Back to overview)

DoppelDridex

Actor(s): DOPPEL SPIDER


DoppelDridex is a fork of Indrik Spider's Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

References
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-12-20Bleeping ComputerLawrence Abrams
@online{abrams:20211220:log4j:1a80230, author = {Lawrence Abrams}, title = {{Log4j vulnerability now used to install Dridex banking malware}}, date = {2021-12-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/}, language = {English}, urldate = {2021-12-21} } Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter
2021-12-20InQuestNick Chalard
@online{chalard:20211220:dont:0aad3db, author = {Nick Chalard}, title = {{(Don't) Bring Dridex Home for the Holidays}}, date = {2021-12-20}, organization = {InQuest}, url = {https://inquest.net/blog/2021/12/20/dont-bring-dridex-home-holidays}, language = {English}, urldate = {2021-12-22} } (Don't) Bring Dridex Home for the Holidays
DoppelDridex Dridex
2021-11-21Cyber-AnubisNidal Fikri
@online{fikri:20211121:dridex:b9218fa, author = {Nidal Fikri}, title = {{Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction}}, date = {2021-11-21}, organization = {Cyber-Anubis}, url = {https://cyber-anubis.github.io/malware%20analysis/dridex/}, language = {English}, urldate = {2021-12-01} } Dridex Trojan | Defeating Anti-Analysis | Strings Decryption | C&C Extraction
DoppelDridex Dridex
2021-11-05BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20211105:hunter:3c7bab9, author = {The BlackBerry Research & Intelligence Team}, title = {{Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware}}, date = {2021-11-05}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/11/zebra2104}, language = {English}, urldate = {2021-11-08} } Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Cobalt Strike DoppelDridex Mount Locker Phobos StrongPity
2021-11-03Team Cymrutcblogposts
@online{tcblogposts:20211103:webinject:f4d41bb, author = {tcblogposts}, title = {{Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance}}, date = {2021-11-03}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/11/03/webinject-panel-administration-a-vantage-point-into-multiple-threat-actor-campaigns/}, language = {English}, urldate = {2021-11-08} } Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns - A Case Study on the Value of Threat Reconnaisance
DoppelDridex IcedID QakBot Zloader
2021-10-28Twitter (@BrettCallow)Brett Callow
@online{callow:20211028:suspected:ae61e43, author = {Brett Callow}, title = {{Tweet on suspected actor behind Payorgrief ransomware}}, date = {2021-10-28}, organization = {Twitter (@BrettCallow)}, url = {https://twitter.com/BrettCallow/status/1453557686830727177?s=20}, language = {English}, urldate = {2021-11-08} } Tweet on suspected actor behind Payorgrief ransomware
DoppelDridex DoppelPaymer
2021-10-28ProofpointAxel F, Selena Larson
@online{f:20211028:ta575:c1cfdd7, author = {Axel F and Selena Larson}, title = {{TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware}}, date = {2021-10-28}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware}, language = {English}, urldate = {2021-11-03} } TA575 Uses ‘Squid Game’ Lures to Distribute Dridex malware
DoppelDridex
2021-10-260ffset BlogChuong Dong
@online{dong:20211026:dridex:e054dc4, author = {Chuong Dong}, title = {{DRIDEX: Analysing API Obfuscation Through VEH}}, date = {2021-10-26}, organization = {0ffset Blog}, url = {https://www.0ffset.net/reverse-engineering/malware-analysis/dridex-veh-api-obfuscation/}, language = {English}, urldate = {2021-11-03} } DRIDEX: Analysing API Obfuscation Through VEH
DoppelDridex
2021-09-27Security Soup BlogRyan Campbell
@online{campbell:20210927:doppeldridex:daa5f69, author = {Ryan Campbell}, title = {{DoppelDridex Delivered via Slack and Discord}}, date = {2021-09-27}, organization = {Security Soup Blog}, url = {https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/}, language = {English}, urldate = {2021-09-29} } DoppelDridex Delivered via Slack and Discord
DoppelDridex
2021-09-10FortinetXiaopeng Zhang
@online{zhang:20210910:new:25d8475, author = {Xiaopeng Zhang}, title = {{New Dridex Variant Being Spread By Crafted Excel Document}}, date = {2021-09-10}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true}, language = {English}, urldate = {2021-09-12} } New Dridex Variant Being Spread By Crafted Excel Document
DoppelDridex
2021-08-05Red CanaryTony Lambert, Brian Donohue, Dan Cotton
@online{lambert:20210805:when:aeb7b10, author = {Tony Lambert and Brian Donohue and Dan Cotton}, title = {{When Dridex and Cobalt Strike give you Grief}}, date = {2021-08-05}, organization = {Red Canary}, url = {https://redcanary.com/blog/grief-ransomware/}, language = {English}, urldate = {2021-09-10} } When Dridex and Cobalt Strike give you Grief
Cobalt Strike DoppelDridex DoppelPaymer
2021-02-15Medium s2wlabSojun Ryu
@online{ryu:20210215:operation:b0712b0, author = {Sojun Ryu}, title = {{Operation SyncTrek}}, date = {2021-02-15}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/operation-synctrek-e5013df8d167}, language = {English}, urldate = {2021-09-02} } Operation SyncTrek
AbaddonPOS Azorult Clop DoppelDridex DoppelPaymer Dridex PwndLocker
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER Pirate Panda SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
Yara Rules
[TLP:WHITE] win_doppeldridex_auto (20220411 | Detects win.doppeldridex.)
rule win_doppeldridex_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.doppeldridex."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f8560030000 8b4614 85c0 7405 83f8ff 7504 }
            // n = 6, score = 1200
            //   0f8560030000         | jne                 0x366
            //   8b4614               | mov                 eax, dword ptr [esi + 0x14]
            //   85c0                 | test                eax, eax
            //   7405                 | je                  7
            //   83f8ff               | cmp                 eax, -1
            //   7504                 | jne                 6

        $sequence_1 = { 5b c3 e8???????? bb???????? 8b03 8b00 85c0 }
            // n = 7, score = 1200
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   e8????????           |                     
            //   bb????????           |                     
            //   8b03                 | mov                 eax, dword ptr [ebx]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   85c0                 | test                eax, eax

        $sequence_2 = { 5b e9???????? 8bcf e8???????? 0fb700 }
            // n = 5, score = 1200
            //   5b                   | pop                 ebx
            //   e9????????           |                     
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     
            //   0fb700               | movzx               eax, word ptr [eax]

        $sequence_3 = { 5d 5b 5f 5e c20400 33ed }
            // n = 6, score = 1200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   33ed                 | xor                 ebp, ebp

        $sequence_4 = { 5b e8???????? 891e 8d4c2410 }
            // n = 4, score = 1200
            //   5b                   | pop                 ebx
            //   e8????????           |                     
            //   891e                 | mov                 dword ptr [esi], ebx
            //   8d4c2410             | lea                 ecx, dword ptr [esp + 0x10]

        $sequence_5 = { 5d 5b 5e c20800 33d2 ebb7 }
            // n = 6, score = 1200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c20800               | ret                 8
            //   33d2                 | xor                 edx, edx
            //   ebb7                 | jmp                 0xffffffb9

        $sequence_6 = { 5d 5b 5e c3 6a00 8d4c243c }
            // n = 6, score = 1200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   6a00                 | push                0
            //   8d4c243c             | lea                 ecx, dword ptr [esp + 0x3c]

        $sequence_7 = { 5d 5b 5e c20400 56 53 }
            // n = 6, score = 1200
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   5e                   | pop                 esi
            //   c20400               | ret                 4
            //   56                   | push                esi
            //   53                   | push                ebx

        $sequence_8 = { ebde 31c0 8b4dc8 83c114 8b55c8 8b7214 }
            // n = 6, score = 100
            //   ebde                 | jmp                 0xffffffe0
            //   31c0                 | xor                 eax, eax
            //   8b4dc8               | mov                 ecx, dword ptr [ebp - 0x38]
            //   83c114               | add                 ecx, 0x14
            //   8b55c8               | mov                 edx, dword ptr [ebp - 0x38]
            //   8b7214               | mov                 esi, dword ptr [edx + 0x14]

        $sequence_9 = { eb22 668b45c6 66c1e801 0fb7c8 6683f800 }
            // n = 5, score = 100
            //   eb22                 | jmp                 0x24
            //   668b45c6             | mov                 ax, word ptr [ebp - 0x3a]
            //   66c1e801             | shr                 ax, 1
            //   0fb7c8               | movzx               ecx, ax
            //   6683f800             | cmp                 ax, 0

        $sequence_10 = { 66897dc6 0f8555ffffff eb8c 31c0 8b4dcc 8b11 8b75bc }
            // n = 7, score = 100
            //   66897dc6             | mov                 word ptr [ebp - 0x3a], di
            //   0f8555ffffff         | jne                 0xffffff5b
            //   eb8c                 | jmp                 0xffffff8e
            //   31c0                 | xor                 eax, eax
            //   8b4dcc               | mov                 ecx, dword ptr [ebp - 0x34]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b75bc               | mov                 esi, dword ptr [ebp - 0x44]

        $sequence_11 = { 8b7de4 8b440718 83f800 8945d8 8955d4 8975d0 }
            // n = 6, score = 100
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   8b440718             | mov                 eax, dword ptr [edi + eax + 0x18]
            //   83f800               | cmp                 eax, 0
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   8955d4               | mov                 dword ptr [ebp - 0x2c], edx
            //   8975d0               | mov                 dword ptr [ebp - 0x30], esi

        $sequence_12 = { e9???????? 8b45a8 8b4dec 81f19d94d30b 39c8 8945c8 74a9 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b45a8               | mov                 eax, dword ptr [ebp - 0x58]
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   81f19d94d30b         | xor                 ecx, 0xbd3949d
            //   39c8                 | cmp                 eax, ecx
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   74a9                 | je                  0xffffffab

        $sequence_13 = { 83c101 39c1 894dec 740a eba4 8b45e4 8945e0 }
            // n = 7, score = 100
            //   83c101               | add                 ecx, 1
            //   39c1                 | cmp                 ecx, eax
            //   894dec               | mov                 dword ptr [ebp - 0x14], ecx
            //   740a                 | je                  0xc
            //   eba4                 | jmp                 0xffffffa6
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_14 = { e8???????? 31c0 8b4dec 8b11 8b711c }
            // n = 5, score = 100
            //   e8????????           |                     
            //   31c0                 | xor                 eax, eax
            //   8b4dec               | mov                 ecx, dword ptr [ebp - 0x14]
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   8b711c               | mov                 esi, dword ptr [ecx + 0x1c]

        $sequence_15 = { 8b8d68ffffff 8d55cc 8d75d0 8b790c }
            // n = 4, score = 100
            //   8b8d68ffffff         | mov                 ecx, dword ptr [ebp - 0x98]
            //   8d55cc               | lea                 edx, dword ptr [ebp - 0x34]
            //   8d75d0               | lea                 esi, dword ptr [ebp - 0x30]
            //   8b790c               | mov                 edi, dword ptr [ecx + 0xc]

    condition:
        7 of them and filesize < 360448
}
Download all Yara Rules