A new Dridex malware phishing campaign is using fake employee termination as a lure to open a malicious Excel document, which then trolls them with a season's greeting message.
TheAnalyst, a threat researcher, shared a screenshot of the false employment termination notice on December 22, linking it to a Dridex affiliate.
The suspicious email informed the target that their employment will end on December 24, and also that the decision could not be reversed. A password-protected Excel file attached offered further information.
When a receiver accessed the file, a blurred form with a button to "Enable Content" appeared, allowing the file to run an automated script through its macros function, a technology designed to aid automation that has been misused for years for harmful purposes. After clicking the button, a pop-up window displayed with the words "Merry X-Mas Dear Employees!"
Dridex is a trojan that was first discovered in 2014 and is related to credential theft. It spreads via email phishing campaigns. According to the US Treasury Department, it has been used to steal more than $100 million from banking institutions in 40 nations.
Dridex is thought to have been created by Evil Corp., a Russian hacker gang that has become one of the most notorious and prolific cybercrime organizations in recent years. In December 2019, the US government sanctioned the organization and indicted its alleged founders, Maksim Yakubets and Igor Turashev, for their roles in developing Bugat, the predecessor malware to Dridex.
A response to TheAnalyst's tweet including the false termination notice observed that in some copies of the email, the "Merry X-Mas" pop-up replaced the word "Employees" with racial insults.
The racist content with this particular Dridex campaign extends back to a few months, according to TheAnalyst.
For example, a phishing email sent out to targets during Black Friday mentioned shooting "black protesters" with a license. "If you find this message to be inappropriate or offensive, please click the complaint button in the attached document and we will never contact you again," the message stated.
According to TheAnalyst, cybercriminals frequently insert racist email addresses inside the malware payloads to insult researchers. This element of the campaign is not visible to the campaign's targets, but it is visible to researchers who seek out, study, and expose phishing campaigns.
