Banking malware Dridex has made yet another comeback. Researchers at Forcepoint Security Labs detected a campaign that lasted just seven hours. Short attacks have become increasingly common as attackers seek to avoid detection by security vendors.
Unlike previous campaigns it used compromised FTP sites for distribution. Not only is this unusual but the attack burned each of the sites as it exposed the credentials of the compromised sites. While this allows security vendors to warn the compromised sites, it also exposed them to other attackers.
The details of the attack were revealed in a blog from security researchers Roland Dela Paz & Ran Mosessco. The researchers said: “The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement.”
What else did Forcepoint say?
Blame for the attack has been put on the Necurs botnet by Paz and Mosessco. There is good reason for doing so. Necurs has a history of spreading Dridex. In addition, the domains used were already known by Forcepoint to be used by Necurs.
Not everything is as it seems. The two researchers pointed out that the number of emails sent in this campaign was very low at just 9,500. They claim that a normal Necurs campaign would result in millions of emails.
There are several reasons why the numbers might have been low. It could be that this was a trial run to see if an FTP-based attack would be more effective in getting users to download the malware. It is also possible that this was, in itself, a probing attack to see what cybersecurity defences would detect.
The researchers seem to believe that the second is possible. They said: “Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations.”
What does this mean?
Once again we see a need for better security. This is not just about passwords. Once credentials on FTP servers are set, people tend to forget about them. This is something that Paz and Mosessco highlight. “The presence of FTP credentials in the emails highlights the importance of regularly updating passwords: a compromised account may be abused multiple times by different actors as long as the credentials remain the same.”
It is not just FTP and web credentials that make it easy for cybercriminals to attack bank accounts. According to Brooks Wallace, Managing Director EMEA, Trusted Knight: “..the vast majority of online banking customers aren’t using anything at all to protect their log-ins and transactions, leaving their accounts open for criminals to have a big payday. Dangerous – and ultimately expensive – malware like this is plundering accounts constantly and fraud and security measures need to get smarter to protect both banks and customers from massive fraud and security losses.”
Dridex also shows how willing attackers are to invest in their tools. It has been adapted to improve its effectiveness several times. This latest attack is just one more investment in the malware by its authors.
This flexibility is something that Wallace also warns about saying: “Dridex’s seemingly endless ability to evolve makes it a real problem for anyone using online banking. It’s also not exactly popular with security teams inside financial services companies themselves, given its effectiveness at stealing bank log-ins wholesale. It is a testament to the danger of such flexible malware platforms, which means teams of well-funded criminals can continue to stay one step ahead of the anti-malware and anti-virus solutions often used by even the most security conscious online banker.”