Dridex Banking Trojan Delivered Via FTP

What Is It?

Researchers recently discovered a malicious spam run spreading a new variant of the Dridex banking trojan. Dridex was first seen in late 2014 and continues to be very successful at stealing online banking credentials.

In an uncommon move, the links in the spam e-mails, which result in the downloading of malicious Microsoft Office documents, are FTP sites. It is far more common for these links to point to web pages. The FTP links in the e-mails contain the compromised credentials for accessing the FTP site.

The use of FTP links may be due to the attackers attempting to bypass e-mail security products/policies. However, it highlights the importance of keeping FTP server software up to date and ensuring policies are in place to ensure all FTP passwords must be changed on a regular basis, as this limits the time-to-live for any misuse of compromised credentials.

How Does It Propagate?

The Dridex trojan does not self-propagate.

As has been the case since it was first released, Dridex relies on a malicious spam e-mail and a malicious Microsoft Office document in order for the actual trojan to be downloaded and installed on a user’s system. Both of these steps require the user to be social engineered into performing an action for them to be successful, e.g. clicking a link or allowing a macro to run. Dridex actors continue to use this approach as it continues to work. This again illustrates the importance of user education as a component of your overall cyber defense strategy.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detected the Dridex trojan as malicious. Regression testing on samples has shown the Dridex trojan itself would have been detected by BluVector 32 months prior to its release and the malicious document files would have been detected 13 months prior.

All Threat Reports