Technical analysis by the Malware Hunter JAMESWT

New global Dridex campaign with couriers and invoices. The xlsm attachment, if open, contacts a random link from an internal list and downloads the dll that starts the malware infection

Dridex is back in a new global courier and invoice-themed campaign. The email contains an xlsm attachment which, if opened, contacts a random url from an internal list and downloads the dll, which starts the malware infection chain. Dridex is a very dangerous banking Trojan used by cybercrime, which has long been the protagonist of campaigns all over the world, especially with a courier theme. The targets are mainly companies, but not only.

The email-trap

The fake invoice

The internal url list, contacted randomly, to download the dll

The C2s