Scam Emails Impersonate IRS & Cloak Dridex Trojan

Scam Emails Impersonate IRS & Cloak Dridex Trojan

The American Rescue Plan has already become a target of scammers. The Plan is the COVID-19 relief legislation that just been signed into law but is already involved in email-based scams delivering banking Trojans.

According to researchers at Cofense, scammers are trying to get their hands on $1,400 relief payments and other aid. 

The emails mimic the IRS, feature the agency’s official logo and a spoofed domain of lRS[.]gov – with a lower-case “L” rather than an upper-case “I.” Emails contain a fake application for financial assistance. In reality, the emails distribute the Dridex banking trojan.

“It is possible to get aid from the federal government of your choice,” the email reads and then lures victims with things like $4,000 check, ree food, and the ability to “skip the queue for vaccination.”

When users click a button in the emails, they are taken to a Dropbox account where they see an Excel document and a notice saying, “Fill this form below to accept Federal State Aid.” 

The document asks the victim to enable macros. If they do, they trigger the infection chain, according to Cofense.

“While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” Cofense researchers explained in their report. “The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”

WMI gives admins access to system monitoring tools, which includes the ability to get details about anything that exists on a given computer.

“This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.”

The Dridex malware (a.k.a. Bugat and Cridex) first appeared in 2011 and has been used for stealing banking information and can make electronic funds transfers from victims’ bank accounts.

Researchers point out a few suspicious traits of the emails that should set off alarms in victims. They noticed illogical phrasing like “Federal State Aid” (federal and state aid are two different things), wrong grammar such as “the federal government of your choice” and unnaturally sounding sentences.

The researchers said, however, “Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.”


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.