New Dridex campaign uses FTP sites instead of HTTP
New Dridex campaign uses FTP sites instead of HTTP

Forcepoint researchers spotted a malware laden spam campaign, similar to Necurs, using compromised FTP sites instead of the usual HTTP link as download locations for malicious documents.

The campaign also exposed the credentials of the compromised sites in the process as the malicious emails were distributed just before 12:00 UTC on Jan. 17, 2018, and remained active for approximately seven hours, according to a Jan. 18 blog post.

Researchers speculate the FTP sites were used in an attempt to prevent being detected by email gateways and network policies that may consider FTPs trusted locations.

“Changes to distribution URLs and their formats are often used to 'buy time' for attackers: systems which cannot dynamically detect payloads will potentially have a period where they are unable to protect against the attacks until signature updates are available,” Luke Somerville, head of special investigations at Forcepoint, told SC Media.

 “Equally, Dridex is often targeted at home users who are far less likely to have scanning or blocking in place looking for 'unusual' protocols such as this.”

The spam was primarily sent to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the U.K., and Australia respectively, researchers said.

Threat actors rotated domain names such as: gov.au, com.tr, fr, with sender names such as admin@, billing@, help@ and info@ to make the malicious emails look more convincing to unsuspecting users.

The campaign used two types of documents including a DOC that abuses DDE to execute shell commands to download malware and a XLS file with a Macro that downloads Dridex. Researchers also noted that the perpetrators of the campaign didn't appear to be worried about exposing the credentials of the FTP sites they abused which could potentially expose the already-compromised sites to further abuse by other groups.

“This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,” the post said. “Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement.”

The campaign shares features with high profile malware campaigns.

The campaign displays traits of the Necurs botnet such as domains used for distribution were already in the researcher's records as compromised domains used by Necurs, which is historically known to spread Dridex. In addition, the document downloaders are also similar to those used by Necurs in the past and the download locations of the XLS file also follows the traditional Necurs format. 

Somerville said the biggest question raised given the patterns associating this campaign with previous Necurs activity is the reason for the small scale of the campaign.

“There are several possible explanations for this (e.g. Necurs is generally understood to sell its malicious email services: the end-attackers in this case may simply have bought a low tier of the service) but we're unable to give a hard and fast answer to this at present,” Somerville said. “Fundamentally, Dridex is intended to steal bank login information.”

He went on to say that while there may be some questions about the scale and URLs used in the attack, the end goal of any Dridex campaign is ultimately the acquisition of banking credentials.