AutoIT-compiled malware1 and Dridex2 may have stood the test of time as far as threat lifespans go, but their resilience doesn’t make them invincible. Our IoC expansion analysis into the latest AutoIT3 and Dridex4 attacks just so happened to reveal 1,425 yet-undisclosed artifacts that may be able to help with mitigation, namely:
- Three IP addresses the AutoIT domains identified as IoCs resolved to
- 300+ domains that shared the AutoIT domains’ IP hosts, 3% of which were deemed malicious
- 100+ domains that contained the strings publicpress and moscowkov like the AutoIT IoCs
- An unredacted email address in the Dridex domain’s historical WHOIS records
- 400+ domains that shared the Dridex domain’s registrant email address, two of which were considered malicious
- One IP address the Dridex domains resolved to
- 300 domains that shared the Dridex domain’s IP host, one of which was tagged as malicious
- 600+ domains that contained the strings pr-clanky and kvalitne like the Dridex IoC
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
—
- [1] https://www.autohotkey.com/board/topic/25043-autoitkv-worm-detected/
- [2] https://community.broadcom.com/symantecenterprise/viewdocument/dridex-and-how-to-overcome-it?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments#:~:text=This%20mainly%20targets%20customers%20of,as%20techniques%20to%20avoid%20detection.
- [3] https://isc.sans.edu/diary/rss/29408
- [4] https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-new-entry-method.html