New Necurs Botnet Phishing Campaign Spreads Dridex Banking Trojan

The operators of the Necurs botnet have launched several phishing campaigns in the past few days that are being used to spread the Dridex banking Trojan. Malware and cryptocurrency miners are also being sent in large scale campaigns. New tactics are being used to ensure infection and avoid detection.

The latest Dridex malware campaign was launched in the past few days and targets customers of major US and European banks. When users click on the links in emails or open malicious attachments, the banking Trojan is downloaded. The malware remains dormant on their machines until they visit a specific website – The website of one of the financial institutions that the attackers are targeting.

The malware uses redirects and web injections to fool users into believing they are on the correct banking website. When their login credentials are entered they are sent to the attackers who use them to gain access to the real accounts to steal funds.

Forcepoint Security reports that the attackers have switched from HTTP links to FTP sites to distribute the attack code. The switch to FTP is believed to be an attempt to bypass email gateway solutions which are more likely to trust FTP connections. Access to the FTP sites is believed to have been gained as a result of users using weak credentials to secure their accounts.

The Forcepoint researchers explain, “The presence of FTP credentials in the emails highlights the importance of regularly updating passwords: a compromised account may be abused multiple times by different actors as long as the credentials remain the same.”

The email campaigns use Word Documents and Excel spreadsheets, the former abusing the DDE linking feature of MS Office with the latter using malicious macros. The latest campaigns differ considerably from past campaigns that typically involve millions of emails. These attacks are occurring on a much smaller scale, involving fewer than 10,000 emails.

The types of emails used in these campaigns vary, including emails that have next to no text and more elaborate emails that have been carefully crafted to ensure a high response rate. The subjects include the usual phishing email themes, with several campaigns advising users about profitable work from home schemes, details of new investment opportunities, and dating website scams where recipients are told about profile views and attractive women that have expressed an interest.

While the campaigns are small at the moment, it appears that the operators of Necurs are alternating these with massive spam campaigns at such a scale that the emails account for 90% of all spam emails sent on a particular day.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of