The Dridex malware is active again and spreading via email campaigns by sending fake employee termination emails. The emails are used as bait to open a malicious Excel document that trolls the victim.

What has happened?

A security researcher with the online moniker TheAnalyst spotted that Dridex malware in the ongoing campaign.
  • The malware operators were sending employee termination emails that tell recipients that their employment is ending on 24 December this year, and this decision cannot be changed.
  • The emails included an attached password-protected spreadsheet which has the source for Dridex malware.
  • Once launched, it installs other malware, steals credentials, and performs other malicious actions.

The infection chain

If a recipient opens the Excel spreadsheet and enters the password, a blurred Personnel Action Form is shown that says they must Enable Content to view it properly.
  • If the victim chose to Enable Content, a popup is displayed to troll the victim with an alert - Merry X-Mas Dear Employees!. However, malicious macros get executed in the background and launch a malicious HTA file.
  • This HTA file has a random name and pretends to be an RTF file, although it has a VBScript to download Dridex from Discord to compromise the device, along with a troll message.

Recent incidents

  • In the past few weeks, a Dridex affiliate was found operating multiple email campaigns where they trolled the researchers using email addresses and filenames laden with anti-semitic and racist words. 
  • Moreover, a few days ago, some actors were observed using the Log4j vulnerability to install Dridex.

Conclusion

Since the festive season is here, cybercriminals are looming around to take advantage of the situation. The recent Dridex campaign is a prime example of the festive season being leveraged for malicious purposes. Thus, experts suggest staying alert in the festive season and never opening emails from unknown senders.

Cyware Publisher

Publisher

Cyware