Delaware, USA – January 22, 2018 – Last week, researchers from Forcepoint Security Labs registered a spam campaign distributing the latest version of Dridex banking trojan. For approximately seven hours there were sent about 10,000 emails containing links to compromised FTP servers. Adversaries used two document types in this campaign: DOC files abused the DDE function to run PowerShell command and download Dridex trojan, and XLS files contained a malicious macro. A number of clues point to the connection of this attack with the infamous Necurs botnet, which is well-known for its capability to send millions of malicious emails per day. The researchers believe that this could be a test of the effectiveness of using FTP to bypass security solutions. Also worrisome is the abusing of DDE in Microsoft Word for infection: a few days ago this feature was exploited for the distribution of Zyklon backdoor.
Despite the fact that Microsoft disabled the DDE feature in the December security update for MS Office, the cybercriminals continue to experiment with this technique. To monitor this threat, you can deploy DDE Exploitation Detector SIEM use case to receive notifications of any attempts to abuse this feature. It is also necessary to monitor the security of the company’s web resources since it is not known how the FTP servers were compromised. For these purposes, you can use Web Application Security Framework, which will help your SIEM detect attempts of web application misuse.