A peculiar email campaign is going around, distributing a variant of the Dridex banking Trojan. The peculiarity lies in the fact that the attack uses compromised FTP sites – instead of the more usual malicious web links – as download locations for malicious documents.
According to Forcepoint Security Labs, this has exposed the credentials of the compromised FTP sites in the process.
“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way,” explained Forcepoint researchers Roland Dela Paz and Ran Mosessco, in a blog. They added that a compromised account may be abused multiple times by different actors as long as the credentials remain the same, widening the potential for damage.
“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already compromised sites to further abuse by other groups,” they said. “This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable.”
The use of FTP sites may be an attempt to fly under the radar of cybersecurity defenses. Also, if a compromised site is used by multiple actors, it makes attribution harder for security professionals and law enforcement.
“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates,” Paz and Mosessco said. “In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations.”
The researchers also believe the Necurs botnet is behind the campaign. Various attributes point to this. For instance, the domains used for distribution were already in Forcepoint’s records as compromised domains used in previous Necurs campaigns, and the document downloaders are similar to those used by Necurs in the past. The download locations of the XLS file also follow the traditional Necurs format; and, not to be ignored, Necurs is historically known to spread Dridex.
What argues against Necurs being involved is the smaller size of the campaign. In this week's attack, about 95,000 emails were sent, compared to Necur’s average of millions of messages.
“The size of the campaign is more or less 'average,’” said Paz and Mosessco. “Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery. [Also] Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change.”
The researchers observed malicious emails being distributed earlier this week for a period of around seven hours. The emails were sent primarily to .com top-level domains (TLDs), as well as TLDs that point to major regional targets being France (.fr) , the UK (.uk.co) and Australia (.com.au).