Security researchers have uncovered a malicious email campaign that distributed the Dridex banking trojan using phishing emails and by using compromised FTP sites instead of HTTP links.
The email campaign to distribute the Dridex banking trojan targeted users located in France, the UK, and Australia and used FTP sites that were already compromised by the Necurs campaign.
The Dridex banking trojan is frequently used by hackers to target banking software, back-end payment and point-of-sale software. Even though hackers are now preferring crypto-ransomware, the trojan is still being developed by some to make it even more dangerous and stealthy. Its involvement in the recent email campaign makes it clear that it continues to be a weapon of choice for some hackers.
According to researchers at Forcepoint who uncovered the campaign, it began on 17th January and remained active for seven hours, targeting .COM top-level domains (TLDs) in France, the UK, and Australia. Hackers behind the operations used compromised domains to send phishing emails to targeted individuals.
Once the Dridex banking trojan infiltrates a system, it collects information like the user’s computer name, username, installation date of the operating system, operation system version, and a list of installed software and sends the information to a C&C server.
Hackers behind the operation also blacklisted machines based on usernames and operating system installation dates, making it difficult for automated analysis systems to find and block the appropriate IPs, obtain the core module and list of peers.
‘The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,’ they noted.
Unlike usual phishing campaigns, hackers behind the current campaign used FTP sites instead of malicious HTTP links to download the Dridex banking trojan to targeted devices. However, unlike existing campaigns like Necurs that targeted millions of users, researchers described the size of the new campaign as ‘average’, adding that ‘the reason for this remains something of a mystery’.
To ensure that their systems are not compromised by the trojan, researchers are now asking users remain cautious and vigilant when opening e-mails containing attachments or links, and to ensure that Microsoft Office macros are disabled whenever possible.