Dridex redux, with FTP serving the nasties

Keep your eyes open for yet-another Dridex-based malware attack.

Forcepoint researchers spotted the campaign last week, noting that instead of hitting up HTTP links the attackers are targeting compromised FTP sites (and exposing those sites' credentials).

The FTP sites in question were used to host the malware sent to victims who clicked on links (insert usual statement about care with links), and the post noted that the attackers didn't care that they exposed the logins of sites they abused. The upshot, however, could be that other attackers also get a chance to abuse the same targets.

Around half of the phishing messages in the campaign went to .com domains, roughly a quarter to .fr domains, with Australia and the UK among other regional targets.

A victim who clicked the link either found themselves compromised via DDE (a popular vector late last year); or in an Excel file carrying an infected macro.

Forcepoint's post associates the campaign with the Necurs botnet, because the distribution domains were already in the company's records; Necurs has spread Dridex in the past; and “The download locations of the XLS file also follows the traditional Necurs format.” ®