The message rar attachment contains an executable file: the malware itself. Stolen data is exfiltrated with smtp.
Technical analysis by the Malware Hunter JAMESWT
C.H. Robinson is the latest lure in the global courier-themed Dridex campaign. The xlsm attachment, distributed by the Cutwail botnet, contacts a random link from an internal list and downloads the malware
C.H. Robinson is the latest lure in the global courier-themed Dridex campaign. The email, referring to alleged invoices previously sent to the victim, contains an xlsm attachment.
This, if opened, contacts a random link from an internal list and downloads the DLL, which starts the malware infection chain.
Moreover, malicious Excel documents continue to be distributed by the Cutwail botnet, as the cybersecurity researcher moto_sato discovered in relation to identical campaigns spread in recent weeks. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only.