A fresh Dridex malware phishing campaign lures victims into opening a malicious Excel document, trolling them with a season’s greeting message. Dridex, a banking malware, was designed to steal online banking credentials and is propagated by malicious emails. Over time, the malware’s makers added new modules that allow it to do more nefarious tasks, such as installing other malware payloads, granting threat actors remote access, and propagating to other devices on the network.
This ransomware was generated by the Evil Corp hacker gang, which is also responsible for BitPaymer, DoppelPaymer, WastedLocker variations, and Grief ransomware. Dridex infections are known to lead to ransomware attacks on vulnerable networks. Over the last several weeks, a Dridex affiliate has been sending out a slew of malicious email campaigns to researchers, using email addresses and filenames containing racist and antisemitic slurs.
Dridex is mocking people again, according to security researcher TheAnalyst, but this time it’s the victims who are receiving fraudulent employment termination emails. The title of these emails is “Employee Termination.” The message informs the recipient that their job will cease on December 24, 2021, and that “this decision is not reversible.” The emails include an Excel password-protected spreadsheet entitled ‘TermLetter.xls’ that supposedly provides details on why they were dismissed and the password necessary to open the document.
A blurred “Personnel Action Form” will appear when the receiver opens the Excel spreadsheet and inputs the password, stating that they must “Enable Content” to view it properly. When the victim clicks on Enable Content, a window will appear, teasing the victim with the message “Merry X-Mas Dear Employees!” However, the victim was unaware that malicious macros had been run, creating and launching a malicious HTA file in the C:\ProgramData folder.
While wishing the recipient a Merry Christmas, this random-named HTA file masquerades as an RTF file but contains a dangerous VBScript that downloads Dridex from Discord to infiltrate the device. As a little additional “joke,” the TheAnalyst said that the Dridex file obtained from Discord is titled ‘jesusismyfriend.bin.’ Dridex will begin installing other malware, stealing passwords, and engaging in other malicious actions as soon as it is activated.
Thus, contact your human resources department or company first if you get an email claiming that you have been dismissed just before Christmas. Because Dridex infections frequently lead to ransomware attacks, Windows administrators must keep up with the latest malware dissemination techniques and teach personnel how to recognize them.