The cybersecurity researcher Will Bushido discovered a cyber espionage campaign aimed to steal credential from at least 15 companies worldwide.
Technical analysis by the Malware Hunter JAMESWT
Dridex is back in a courier-themed campaign with .xlsm attachment. This downloads a DLL that starts the malware infection chain. For now, detected emails that simulate DHL and UPS
Dridex is back to attack users with a global courier-themed campaign. The bait is the usual false invoice attached in .xlsm format, for now arrived from emails that simulate DHL and UPS. This, if opened, contacts a malicious link (only one for each xlsm), from which it downloads a DLL that infects the computer with the malware. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world. The targets are mainly companies, but not only. The texts in both cases are written in correct English, although there are no logos or visual references related to the expeditioners used as decoy.
The email that simulate DHL and UPS
The fake DHL invoice
The fake UPS invoice
DHL DNS HTTP/HTTPS requests / Connection
UPS DNS HTTP/HTTPS requests / Connection