The xlsb mail attachment contacts a url and downloads the malware from an opendir, which also contains Ursnif/Gozi and is constantly updated.
Cybercrime, new Dridex campaign via couriers and Cutwail
Technical analysis by the Malware Hunter JAMESWT
New Dridex global campaign via couriers and Cutwail. Fake xlsm invoice, distributed by the botnet, contact a random link from an internal list and download the malware
New global courier-themed Dridex campaign. The bait is an invoice with an xlsm attachment.
The file, if open, contacts a random link from an internal list and downloads the DLL, which starts the malware infection chain. Moreover, as cybersecurity researcher moto_sato discovered, malicious documents continue to be distributed by the Cutwail botnet. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only.