Technical analysis by the Malware Hunter JAMESWT

Dridex is behind the wave of emails on fake invoices, which have just arrived in Italy. The message contains a link from which to download a Word file, which then downloads a DLL and infects the machine with the malware. The attachment uses the same template as the Emotet Doc

Dridex is behind the wave of emails on fake invoices, which have just arrived in Italy. The goal of cybercrime is to spread the banking Trojan thanks to a link contained in the messages. This, in fact, leads to the download of a Word document on the victim’s computer, which contacts some malicious links from which a DLL is then downloaded, starting the malware infection chain. Furthermore, each email contains a different link from which it allows the download of the Doc. If, however, it is detected that this has already been downloaded previously, the user is redirected to another site (https://www.nchsoftware[.com/). Moreover, the attachment uses the same template as the Emotet Doc.

The email text on the fake invoice with the malicious link

The Word attachment from which the DLL that infects the computer with malware is downloaded

The urls contacted by the DOC to download the Dridex DLL