New Necurs Botnet Phishing Campaign Disperses Dridex Banking Trojan

February 1, 2018


The operators of the Necurs botnet have started numerous phishing campaigns in the past few days that are being used to disperse the Dridex banking Trojan. Malware, as well as cryptocurrency miners, are also being transmitted in large-scale campaigns. New tricks are being used to make sure infection and evade detection.

The newest Dridex malware campaign was started in the past few days and targets clients of main US and European banks. When operators click on the links in electronic mails or open hateful attachments, the banking Trojan is copied. The malware remains inactive on their machines until they visit a specific website – The website of one of the financial organizations that the attackers are aiming.

The malware utilizes redirects and web injections to deceive users into trusting they are on the right banking website. When their login identifications are entered they are transmitted to the attackers who use them to gain access to the actual accounts to steal funds.

Forcepoint Security informs that the attackers have changed from HTTP links to FTP sites to disperse the attack code. The switch to FTP is thought to be an attempt to sidestep electronic mail gateway solutions which are more likely to have confidence in FTP connections. Access to the FTP sites is thought to have been gained as a consequence of users using weak identifications to safeguard their accounts.

The Forcepoint scientists describe, “The existence of FTP identifications in the electronic mails underlines the significance of frequently updating passwords: a compromised account might be misused several times by different actors as long as the identifications remain the same.”

The electronic mail campaigns use Word Documents and Excel spreadsheets, the former misusing the DDE linking characteristic of MS Office with the latter using hateful macros. The latest campaigns differ substantially from earlier campaigns that usually involve millions of electronic mails. These attacks are happening on a much smaller level, involving fewer than 10,000 electronic mails.

The kinds of electronic mails used in these campaigns differ, including electronic mails that have next to no text and more elaborate electronic mails that have been carefully crafted to make sure a high response rate. The subjects include the normal phishing electronic mail themes, with numerous campaigns advising users regarding lucrative work from home schemes, details of new investment chances, and dating website cheats where receivers are told about profile views and attractive ladies that have expressed an interest.

Although the campaigns are small at the moment, it seems that the operators of Necurs are interchanging these with massive spam campaigns at such a level that the electronic mails account for 90% of all spam electronic mails transmitted on a specific day.