Over the last few weeks, a malware distributor has been taunting victims and researchers with the Dridex banking malware. Phishing campaigns taunt victims with telephone numbers for funeral assistance, such as COVID-19.
Dridex is a banking malware transmitted via phishing emails containing malicious Word or Excel attachments. By opening these attachments and enabling macros, the malware will be downloaded and installed on the victim’s device.
Dridex is designed to steal online banking credentials, spread to other machines, and potentially provide access to the internet for ransomware attacks.
COVID-19 Omicron was tamed using a lure version
A Dridex phishing email distributor has been toying with victims and researchers over the past few weeks.
Security researchers were first targeted when the threat actor used their names in combination with racist comments as malware file names and email addresses.
After infecting their devices, the threat actor sent fake termination letters to employees with the message “Merry X-Mas Dear Employees!”.
In a new phishing campaign uncovered by MalwareHunterTeam and 604Kuzushi, this same threat actor spammed emails with the subject “Covid-19 testing result” that claimed the recipient had been exposed to a coworker who tested positive for the Omicron COVID-19 variant.
The new phishing email below informs you that you were exposed to a coworker who tested positive for OMICRON variant of COVID-19 between December 18th and 20th.
I have attached a document with details you should review.”
The email contains a password-protected Excel attachment as well as the password required to open it.
After entering the password, the receiver is presented with a blurred COVID-19 document and asked to ‘Enable Content’ in order to access it.
To add insult to injury, the threat actor taunts its victims by flashing an alert with the phone number for the “COVID-19 Funeral Assistance Helpline” after macros have been activated and the device has been infected.
Due to the highly contagious nature of the COVID19 version and its quick dissemination around the world, phishing emails about the Omicron variant are becoming increasingly popular and are anticipated to be very effective in propagating malware.
This is especially true if the phishing campaign impersonates the human resources department of a company and targets employees from the same firm.
Due to the fact that Dridex phishing attempts currently use password-protected files, businesses must train their personnel to recognise and resist such assaults.
As always, if you receive an unexpected email or one with unusual attachments, check with your network administrator or other coworkers to see if the email is authentic.