Reading Time: 2 minutes

Ever since the American Relief Plan of $4000 for Covid- 19 was signed into law, the cybercriminals have wasted no time ruining it. Dridex Banking Trojan is being distributed via email, as cybercriminals use the American rescue plan as a lure for email-based scams.

Cofense researchers discovered hackers circulating emails in March. They were using the American relief plan and other aids to scam users. Emails sent resemble IRS, use the official logo and a spoofed sender domain of IRS. In reality, the emails offer the Dridex banking trojan.

The contents of the email are tempting as it says you can get aid from the federal government of your choice and offers quotes for a tempting offer such as a $4,000 check, the ability to “skip the queue for vaccination” and free food.

There is also a button that says “Get apply form”, on clicking it they are taken to Dropbox and view an Excel document. They are asked to fill the form below to accept Federal State Aid. The documents offered to look identical to an IRS form and victims are prompted to enable the content. Once you click the form it triggers a macro it sets the infection chain indirectly.

Cofense in a blog post on Tuesday said, “While static analysis easily identifies the URLs used to download malware in this case, the automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”American Relief Plan

The hackers are able to get access to system monitoring tools and are able to ask for information available on the computer once they are able to manipulate the WMI (it is a subsystem of PowerShell). It can also request these queries to be given in a certain format.

According to the researchers, “The WMI query employed in this case…demands that the dropped .XSL file is used to format the response to the query.”
They further added, “This formatting directive allows JavaScript contained in the.XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.”

Dridex Banking Trojan

Dridex Banking Trojan first made its appearance in 2011. It is widely used in phishing emails and target banking information. The Dridex banking Trojan is also known as Bugat and Cridex. The trojan tries to make unauthorized electronic funds once it seizes the bank credentials of the victim.

The Dridex malware was a highly active financial trojan during the year 2015. Known to target corporate employees, its later versions were designed with additional functionality which helped in installing ransomware. Over the years it has enhanced itself with obfuscation capabilities.

Earlier in 2019, the US authorities managed to nab Maksim Yakubets, the leader of Russian-speaking cybercrime group Evil Corp. The US authorities are still offering $5 million for information related to Yakubets and Evil Corp. They are accused of stealing millions of dollars from victims using the Dridex banking trojan and Zeus malware.