AutoIT-compiled malware¹ and Dridex² may have stood the test of time as far as threat lifespans go, but their resilience doesn’t make them invincible. Our IoC expansion analysis into the latest AutoIT³ and Dridex⁴ attacks just so happened to reveal 1,425 yet-undisclosed artifacts that may be able to help with mitigation, namely:

• Three IP addresses the AutoIT domains identified as IoCs resolved to
• 300+ domains that shared the AutoIT domains’ IP hosts, 3% of which were deemed malicious
• 100+ domains that contained the strings publicpress and moscowkov like the AutoIT IoCs
• An unredacted email address in the Dridex domain’s historical WHOIS records
• 400+ domains that shared the Dridex domain’s registrant email address, two of which were considered malicious
• One IP address the Dridex domains resolved to
• 300 domains that shared the Dridex domain’s IP host, one of which was tagged as malicious
• 600+ domains that contained the strings pr-clanky and kvalitne like the Dridex IoC

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

—

• [1] https://www.autohotkey.com/board/topic/25043-autoitkv-worm-detected/
• [2] https://community.broadcom.com/symantecenterprise/viewdocument/dridex-and-how-to-overcome-it?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments#:~:text=This%20mainly%20targets%20customers%20of,as%20techniques%20to%20avoid%20detection.
• [3] https://isc.sans.edu/diary/rss/29408
• [4] https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html