Written by AJ Vicens
Dec 23, 2021 | CYBERSCOOP
A phishing campaign using a well-known malware families is employing a pair of particularly devious methods to trick targets into opening an infected file: fake employee termination notices and phony omicron-variant exposure warnings.
A threat researcher going by the name of “TheAnalyst” posted a screenshot of the fake employment termination notice Dec. 22, attributing it to a Dridex affiliate.
The suspicious email told the target that their employment would cease as of Dec. 24, and that the decision was not reversible. An attached password-protected Excel file promised additional details.
Once a recipient opened a file, a blurred form appeared with a button to “Enable Content,” which enabled the file to run an automated script through its macros feature, a technique intended to help automation that simultaneously has been abused for years for malicious purposes. After the button was clicked, a pop-up window appeared: “Merry X-Mas Dear Employees!”
Dridex is a trojan dating back to 2014 that typically spreads through email phishing campaigns and is associated with credential theft. It’s been used to steal more than $100 million from financial institutions and banks spread across 40 countries, according to the U.S.
Read More: https://www.cyberscoop.com/fake-termination-notices-dridex-evil-corp/
