Welcome
About
News
Anonymous Reporting
Tools
MCA Chatter
Library
V-ID Terminal
Support
My Account

News

Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019
 
 
 

Dridex redux, with FTP serving the nasties

 
January 22nd 2018
Venerable malware is back for another round of phishing
Keep your eyes open for yet-another Dridex-based malware attack.

Forcepoint researchers spotted the campaign last week, noting that instead of hitting up HTTP links the attackers are targeting compromised FTP sites (and exposing those sites' credentials).

The FTP sites in question were used to host the malware sent to victims who clicked on links (insert usual statement about care with links), and the post noted that the attackers didn't care that they exposed the logins of sites they abused. The upshot, however, could be that other attackers also get a chance to abuse the same targets.

Around half of the phishing messages in the campaign went to .com domains, roughly a quarter to .fr domains, with Australia and the UK among other regional targets.

A victim who clicked the link either found themselves compromised via DDE (a popular vector late last year); or in an Excel file carrying an infected macro.

Forcepoint's post associates the campaign with the Necurs botnet, because the distribution domains were already in the company's records; Necurs has spread Dridex in the past; and “The download locations of the XLS file also follows the traditional Necurs format.”

Source


PHP script
PHP script 33 bytes
January 23rd 2018 09:58

Keywords