Dridex banking Trojan compromises FTP sites in new campaign

The Trojan is back with a new technique to avoid detection by email gateways.
Written by Charlie Osborne, Contributing Writer

Researchers have discovered the Dridex banking Trojan has once again evolved and is now using compromised FTP websites in phishing campaigns.

The Trojan was first spotted back in 2014 after targeting banks in the United Kingdom.

Since then, Dridex has become infamous for striking financial institutions across Europe.

The malware spreads through phishing campaigns, duping victims into downloading and executing malicious macros hidden in Microsoft documents, as well as attacks by way of web injections.

Once the Trojan has compromised a PC, it steals online banking credentials which can then used fraudulently by operators to plunder bank accounts.

Spam and phishing campaigns utilizing the Trojan usually rely on HTTP download locations for malware payloads. However, Forcepoint Security Labs said on Thursday that a "peculiar" email campaign distributing a Dridex variant has chosen a more unusual method.

In a blog post, the team said compromised FTP websites are now being used to distribute the malware, which also exposes the credentials of the vulnerable domains in the process.

In this particular campaign, malicious emails were distributed on January 17 this year and remained active throughout the day. The emails were sent primarily to top-level domains including .com, .fr, and .co.uk.

France, the UK, and Australia were the most targeted countries.


According to the team, the sender domains were from compromised accounts from the FTP websites, and sender names -- such as admin@, billing@, and no-reply@ were rotated to appear more authentic.


The Dridex campaign uses two types of documents; an XLS file with a malicious macro that downloads the Trojan, and the second is a DOC file which abuses Dynamic Data Exchange (DDE) to execute shell commands.

"The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups," Forcepoint says. "This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable."

It may be that the latest Dridex campaign originates from the Necurs botnet, as the domains used for distribution are the same as previous Necurs campaigns; the downloaders are similar, and the download locations for the XLS file have been connected to Necurs in the past.

"Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change," the team says. "In this case, FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations."

See also: Dridex Trojan targets UK banks, avoids two factor authentication checks

Last year, the Trojan was upgraded with a set of new abilities.

Known as AtomBombing, the sophisticated evasive code added to Dridex forces legitimate software to retrieve malicious code from compromised atom tables in the Microsoft Windows operating system.

The malware copies a payload into memory but calls a virtual memory process to avoid detection when deploying malicious code.

Dridex was also equipped with new encryption and persistence mechanisms.

Top tips to stay safe on public Wi-Fi networks

Previous and related coverage

    Dridex Trojan updated with AtomBombing evasion techniques

    A major upgrade to the malware will potentially cause even more headaches for European banks.

    New Trojan malware campaign sends users to fake banking site that looks just like the real thing

    Trickbot is now redirecting to a counterfeit site that displays the correct URL and the digital certificate of its genuine equivalent.

    Hackers are making their malware more powerful by copying WannaCry and Petya ransomware tricks

    The group behind Trickbot is attempting to give its Trojan malware the self-spreading worm-like capabilities that have made recent ransomware attacks go global.

      Editorial standards