Fake Christmas Eve termination notices used as phishing lures

Written by
Dec 23, 2021 | CYBERSCOOP

A phishing campaign using a well-known malware families is employing a pair of particularly devious methods to trick targets into opening an infected file: fake employee termination notices and phony omicron-variant exposure warnings.

A threat researcher going by the name of “TheAnalyst” posted a screenshot of the fake employment termination notice Dec. 22, attributing it to a Dridex affiliate.

The suspicious email told the target that their employment would cease as of Dec. 24, and that the decision was not reversible. An attached password-protected Excel file promised additional details.

Once a recipient opened a file, a blurred form appeared with a button to “Enable Content,” which enabled the file to run an automated script through its macros feature, a technique intended to help automation that simultaneously has been abused for years for malicious purposes. After the button was clicked, a pop-up window appeared: “Merry X-Mas Dear Employees!”

Dridex is a trojan dating back to 2014 that typically spreads through email phishing campaigns and is associated with credential theft. It’s been used to steal more than $100 million from financial institutions and banks spread across 40 countries, according to the U.S.

Read More: https://www.cyberscoop.com/fake-termination-notices-dridex-evil-corp/