Using FTP sites instead of the more usual HTTP links is probably an attempt to avoid being detected by email gateways and exploit the fact that many network policies consider FTPs as trusted locations, according to researchers at Forcepoint Security Labs.
The technique also exposes the credentials of the compromised FTP sites. “The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” the researchers said in a blog post, noting that a compromised account may be abused multiple times by different actors as long as the credentials remain the same.
The researchers observed that malicious emails were distributed on 17 January 2018 and remained active for about seven hours.
“The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively,” the researchers said.
All the sender domains used for the emails designed to trick recipients into downloading the Dridex variant to steal baking credentials were compromised accounts, and to make the emails look more convincing, the sender names included admin@, help@, info@, and support@.
The campaign used two types of documents. The first is a DOC that abuses DDE (Windows Dynamic Data Exchange) to execute a shell command to download malware, and the second type is an XLS file with a Macro that downloads Dridex.
The security researchers observed that the compromised servers were not running the same FTP software, and conclude that it is likely the credentials were compromised in some other way.
They also note that the attackers did not appear to be worried about exposing the credentials of the FTP sites they abused, potentially exposing the already-compromised sites to further abuse by other groups.
“This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,” they said. “Equally, if a compromised site is used by multiple actors, it also makes attribution harder for security professionals and law enforcement.”
Read more about Dridex
- Dridex Trojan shares Dyre malware’s redirection attack capabilities.
- Revamped Dridex Trojan continues to plunder UK banks.
- The Dridex banking Trojan has adopted new functionality to bypass virtual machines.
- The creators of quickly mutating Dridex campaigns have a sophisticated understanding of evading security measures.
Multiple attributes of the campaign suggest a connection to the Necurs botnet, they said. These include the fact that the domains used for distribution were already listed as compromised domains used in previous Necurs campaigns, that Necurs is historically known to spread Dridex, that the document downloaders are similar to those used by Necurs in the past, and that the download locations of the XLS file also follow the traditional Necurs format.
However, researchers said the volume of this particular campaign is very low compared to typical Necurs campaigns. “Necurs typically sends out millions of emails per campaign, while this campaign was recorded sending just over 9,500 emails in total,” they said.
“Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less ‘average’. Given Necurs’ typical association with very large campaigns, the reason for this remains something of a mystery.”
The researchers also noted that Necurs has recently been recorded using malicious links instead of malicious attachments to distribute Dridex. “But the switch to FTP-based download URLs is an unexpected change,” they said.
Brooks Wallace, managing director for Europe at financial services anti-fraud and security company Trusted Knight, said Dridex’s seemingly endless ability to evolve makes it a real problem for anyone using online banking.
“It’s also not exactly popular with security teams inside financial services companies themselves, given its effectiveness at stealing bank logins wholesale,” he said. “It is a testament to the danger of such flexible malware platforms, which means teams of well-funded criminals can continue to stay one step ahead of the anti-malware and anti-virus solutions often used by even the most security-conscious online banker.
“However, the vast majority of online banking customers aren’t using anything at all to protect their logins and transactions, leaving their accounts open for criminals to have a big payday.
“Dangerous – and ultimately expensive – malware like this is plundering accounts constantly and fraud and security measures need to get smarter to protect both banks and customers from massive fraud and security losses.”