A variant of the Dridex banking trojan recently popped up in an email campaign, with an unusual twist: The attackers used compromised FTP sites for hosting malicious documents, according to researchers at Forcepoint. It was a notable departure from the norm of using HTTP links and could represent the start of a new trend.
The phishing campaign occurred earlier this week and lasted about seven hours. The top targets were users in France, the UK and Australia.
Emails used in the campaign each had hypertext links to compromised FTP servers hosting malicious files. Those FTP links enticed targets to download either DOC or XLS files. Malicious DOC files, if opened, abused the DDE (Dynamic Data Exchange) feature in Microsoft Office to download the Dridex payload. XLS files containing a macro that downloaded Dridex, Forcepoint said in a blog post.
Emails were dressed up to look more official by using sender names such as “admin@” and billing@”, the report stated.
It is possible the campaign emanated from the notorious Necurs botnet, the company said. Domains used are known as compromised and tied to the Necurs botnet, a key distributor of Dridex, said researchers.
“Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change.,” researchers wrote.
FTP could also have been used as a cloaking mechanism, since email gateways and network policies may view FTPs as trusted locations.
“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups,” said researchers. “This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement.”
Overall, the usage of FTP sites as well as the low volume of the campaign—just about 9,500 emails—makes it rather peculiar, said Luke Somerville, head of special investigations at Forcepoint, in an interview.
“What made this one stand out is that it had ties back to Necurs, but it isn’t entirely representative of a historical Necurs campaign,” Somerville said. “They’re usually much, much bigger.”
Necurs campaigns commonly involve millions of emails. Still, Forcepoint decided to hold back from stating categorically it was tied to Necurs, Somerville said.
One possibility is that the campaign was deliberately small in size. “Ultimately, Necurs spam campaigns are sold as a service,” Somerville said. “Potentially, someone bought a very low tier of the service.”
It could have also been a trial run of sorts for using FTP in phishing campaigns, he said.
Meanwhile, the campaign marked another instance of criminals taking advantage of DDE, which Microsoft has refused to patch on grounds it is a feature of Word and not a vulnerability. DDE is a protocol that allows users to share data between applications and has been abused by attackers to launch droppers, exploits and malware.
Microsoft has a valid argument, Somerville said: “Everyone has a knife in their kitchen for chopping vegetables, but you could also do something terrible with it.”
Ongoing user education is an important tool enterprises must use in battling the likes of Dridex, he added. “[Dridex] requires user interaction. People have to click on the link, they have to open the attachments.”
The variant spotted by Forcepoint is just the latest evolution of Dridex, which has targeted financial institutions, mainly in Europe, since late 2014. A variant reported in September used fake accounting invoices to steal victims’ personal information. Early last year, Dridex v4 was released with the addition of AtomBombing, a more sophisticated method of code injection.