skip to Main Content

Cybercrime, Dridex attacks again via Quickbooks

Technical analysis by the Malware Hunter JAMESWT

New Dridex campaign is based on Quickbooks and links in emails. By opening the link, you download a file which contacts a url from an internal list and downloads the dll that starts the malware infection

Dridex hits again today with a new malspam campaign, which uses Quickbooks and a link in the email. This, once executed, downloads a doc document. The file, if open, downloads the dll from an internal list and starts the malware infection chain. This new tactic aims to trick anti-viruses into making the victim download the malicious file. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only.

The fake Quickbooks email

The doc document

The links to download the dll

The C2s

Powershell script decoded with urls contacted to download the DLL

 

Back To Top