A new phishing email campaign has been identified that includes an attachment of a specially prepared Excel document.
Researchers uncovered a malspam campaign that sends customers an email with import tariff data attached.
- A new variation of the infamous Dridex malware is being distributed as part of the campaign.
- The new variant captures sensitive information, including credentials, and distributes harmful modules such as .dll after infection.
- Furthermore, to avoid detection by security solutions, this new variant employs anti-analysis techniques.
The New Variant of Dridex – How does it work?
The top of the Excel document in the email carries a note in big characters pushing readers to activate macros.
- If a receiver ignores the warning and opens the Excel file nevertheless, an auto-run function called Workbook_Open() in the Macro (VBA) is immediately executed.
- The auto-run Macro (VBA) and Excel 4.0 Macro are used in the Excel document.
- Furthermore, the malicious code contained within the Excel document is run, resulting in the extraction of an HTML application file.
- The Rundll32[.]exe file is used to run the downloaded Dridex payload file in the final stage.
- According to experts, the new Dridex variation employs the same anti-analysis tactics as a prior variant.
Anti-analysis tactics decoded
- All APIs are concealed and can be identified by their names’ hash code.
- Inside memory, entire constant strings are encrypted and decrypted shortly before being utilized.
- Some APIs are purposefully designed to throw an exception (0x80000003). The exception is then caught in the exception handler method, which is then used to call the API.
Dridex’s threat actors have attempted to stay relevant by utilizing themes that may persuade victims to open email attachments. Furthermore, victims accessing malicious attachments despite threat alerts, demonstrate a lack of organization-wide threat prevention and employee training.
To read more, please check eScan Blog
