During the week following the Orthodox New Year (January 14, 2018), the Necurs botnet re-emerged on the scene with a malspam campaign spreading an old friend, theDridexbanking trojan.
This activity was first identified by aForcepoint Labs report, which found the campaign using compromised FTP sites rather than HTTP links (as historically observed) for the download of malicious documents. According to Forcepoint, the malicious emails were sent "primarily to .COM top level domains (TLDs) with the second, third and fourth top affected TLDs suggesting that major regional targets were France, the UK, and Australia respectively".
Arecent post by Broadanalysis.com also details observations from this renewed Dridex campaign activity. The screenshot below is an sample email with an embedded FTP link for the download of a malicious MS Word document.
This malicious MS Word document contains some less than savory VBA code as flagged by RSA's pre-releaseWhatsthisfilecapability. This appears consistent with maldocs observed from 21-22 January campaigns that appear to be using macros for exploit and payload delivery (whereas early campaigns as reported by both Forcepoint and Broadanalysis observed DDE exploit CVE-2017-11826 to begin infection chain).
This VBA code in our malicious document auto-launches and via some heavily obfuscated powershell retrieves the Dridex payload,'oojsd355'.
NetWitness Packets flags this download activity through a number of suspicious tags in the service.analysis, session.analysis, and file.analysis fields.
Post infection, we observed the typical encrypted Dridex Command and Control (C2) callbacks (sample below).
NetWitness Packets also detects this activity and flags these self-signed certificates in use over both standard and non-standard SSL ports.
Thanks toAhmed Sonbolfor his assistance in this research, and all related IOCs can be found below.