Over the last few weeks, a Dridex banking malware distributor has been playing games with victims and researchers. The most recent example is a phishing campaign that teases victims with a COVID-19 funeral aid helpline number.
Dridex is a banking malware spread by phishing emails with malicious Word or Excel files. When these attachments are accessed with macros turned on, malware is downloaded and installed on the victim’s computer. After installation, Dridex tries to steal online banking credentials, propagate to other PCs, and potentially give remote network access for ransomware attacks.
Over the last several weeks, a Dridex phishing email distributor has been having a lot of fun with victims and researchers. It was initially noticed when the bad actor started trolling security professionals by exploiting their identities with racist comments as malware file names and email addresses.
This same bad actor pushed it to the next step in a new phishing effort detected by MalwareHunterTeam and 604Kuzushi, sending emails with the subject “COVID-19 testing result,” claiming the victim was exposed to a workfellow who tested positive to the Omicron COVID-19 strain.
“This letter is to inform you that you have been exposed to a coworker who tested positive for OMICRON variant of COVID-19 sometime between December 18th and 20th,” as mentioned in the new phishing email.
The email contains a password-protected Excel attachment and the password required for opening that document. After entering the password, the receiver is presented with a blurred COVID-19 document and asked to ‘Enable Content’ to view it. When macros are enabled and the device gets infected, the bad actor insults the victim by showing a warning with the “COVID-19 Funeral Assistance Helpline” phone number.
Because this COVID-19 variant is very infectious and spreading rapidly throughout the world, phishing emails regarding the Omicron variant are becoming increasingly popular. They are anticipated to be very successful at spreading malware. It is particularly true if the phishing campaign impersonates the human resources department of a company and targets employees from the same organization.
Since Dridex phishing campaigns presently use password-protected files, businesses must teach their personnel to recognize and resist such attacks. If you get an unexpected email or one with odd attachments, check with your network administrator or other coworkers to see if the email is authentic.