The latest Dridex phishing campaign has been using various hot topics to lure its victims, including COVID-19 funeral assistance and employee termination letters. Regardless of the message’s contents, the purpose of the email is to get the reader to click on an attachment, which is typically in Excel or Word format. Opening this document installs malicious code on the victim’s computer, which then performs a variety of actions.
The first known Dridex attack occurred in 2012, and it had become one of the most common financial Trojans by 2015. Analysts expect malicious actors to continue targeting financial institutions and their customers with Dridex for the foreseeable future.
Dridex email message are more effective than many other phishing schemes due to the efforts used to make them appear authentic. These messages generally use legitimate business names, domains and professional terminology. The content is also carefully chosen to create a sense of urgency with the reader, often by relying on current events. The sender’s email address usually appears legitimate because it’s something like firstname.lastname@example.org, email@example.com or firstname.lastname@example.org. In addition, the subject line and attachment title contains words such as “debit note,” “invoice,” “order” and “receipt,” which tend to get the reader’s attention. The use of multiple points of contact provides further credibility for the reader.
Security researchers from MalwareHunterTeam and 604Kuzushi reported on December 25, 2021 that attackers are using the COVID-19 Omicron variant to troll its victims. The message has a subject line that reads something like “COVID-19 Test Results,” with a message body that informs them they were exposed to a coworker who has Omicron variant.
The message also provides the password to open the attached Excel document. Once the victim clicks on the attachment and enters the password, a blurred document is displayed, and the victim is prompted to “Enable Content.” The malware embedded in the document then displays an alert that includes a fake number for a COVID-19 Funeral Assistance Helpline.
In this variant of the Dridex campaign, the email message informs recipients that their employment will end on December 24, 2021, and this decision is irrevocable. A password-protected Excel spreadsheet is attached to the message, which contains the campaign’s payload. Opening the spreadsheet and entering the password displays a blurred form entitled “Personnel Action” that prompts readers to enable the content. If they do, the attachment displays a popup alert that reads something like “Merry X-Mas Dear Employees!.”
This action also executes malicious Excel macros that perform various actions such as launching an HTML Application (HTA) file with a random name. This file appears to be a Rich Text Format (RTF) file, but it’s actually a VBScript that downloads Dridex and a troll message from a Discord server. Once installed, Dridex performs malicious actions such as stealing the victim’s credentials and installing other malware.
Dridex has trolled for victims in various ways since its first appearance in 2012. In addition to Covid and employment terminations, Dridex attacks have also used racist and anti-Semitic content to persuade readers into opening the attachment. Furthermore, these campaigns have used methods to install Dridex that don’t rely on the user to take direct action. In December 2021, malicious actors installed Dridex by exploiting a vulnerability in the Log4j Java-based logging utility.
Dridex campaigns are taking advantage of current events to increase the likelihood that the recipients of their emails will open the attachment. Regardless of the specific message, the attachment contains the campaign’s payload. In the case of Dridex, attackers have remained particularly flexible in the message they use. Despite the ever-changing content, experts continue to recommend the standard practice of not opening email attachments until verifying the sender.
Stack of papers with pen, glasses and Termination text flickr photo by wuestenigel shared under a Creative Commons (BY) license