During the week following the Orthodox New Year (January 14, 2018), the Necurs botnet re-emerged on the scene with a malspam campaign spreading an old friend, the Dridex banking trojan.
This activity was first identified by a Forcepoint Labs report, which found the campaign using compromised FTP sites rather than HTTP links (as historically observed) for the download of malicious documents. According to Forcepoint, the malicious emails were sent "primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively".
A recent post by Broadanalysis.com also details observations from this renewed Dridex campaign activity. The screenshot below is an sample email with an embedded FTP link for the download of a malicious MS Word document.
This FTP link leads to the direct download of our malicious Word document.
This malicious MS Word document contains some less than savory VBA code as flagged by RSA's pre-release Whatsthisfile capability. This appears consistent with maldocs observed from 21-22 January campaigns that appear to be using macros for exploit and payload delivery (whereas early campaigns as reported by both Forcepoint and Broadanalysis observed DDE exploit to begin infection chain).
This VBA code in our malicious document auto-launches and via some heavily obfuscated powershell retrieves the Dridex payload, 'oojsd355'.
NetWitness Packets flags this download activity through a number of suspicious tags in the service.analysis, session.analysis, and file.analysis fields.
Post infection, we observed the typical encrypted Dridex Command and Control (C2) callbacks (sample below).
NetWitness Packets also detects this activity and flags these self-signed certificates in use over both standard and non-standard SSL ports.
Thanks to Ahmed Sonbol for his assistance in this research, and all related IOCs can be found below.
Delivery documents (SHA256):