Dridex operators launch a social engineering scam that promises victims a $100 gift card but delivers a banking Trojan.
The operators behind Dridex have a nefarious trick up their sleeves this holiday season: A widespread phishing scam promises victims a $100 Amazon gift card but instead delivers the prolific banking Trojan to target machines.
This campaign first appeared around Halloween and picked up in the beginning of November, the Cybereason Nocturnus team reports. Most targets are from the United States and Western Europe, where Amazon is very popular and people may be more likely to fall for a scam like this – especially at a time when online shopping and gift-giving is more prevalent due to COVID-19.
Victims receive an email that claims to be delivering a gift from Amazon: “We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You,” a sample message says. The researchers found most emails pretend to come from Amazon, though exact wording may vary.
This email prompts its recipient to download a gift card, which leads to Dridex infection through one of three different methods.
The first delivery vector is a malicious Word document with a variation of “gift card” in the file name. This file requests the victim click “enable content,” which runs the macros. This is a common technique used in phishing attacks; embedded macros are usually disabled by default.
If a user enables content, an obfuscated VBScript file is executed. The macro itself contains an obfuscated, base64 encoded PowerShell script that opens a pop-up with a fake error message. This tricks the user into thinking there was an error while the macro runs in the background. The PowerShell connects to the command-and-control (C2) server and delivers the Dridex payload.
The second delivery vector involves screensaver (SCR) files, which are also popular among attackers. These enable criminals to bypass email filters solely based on file extension, as well as to bundle multiple components together, as SCR files are eventually self-executing archives.
“They can run and execute any type of code aside from the screensaver itself,” explains Assaf Dahan, threat research lead at Cybereason. “So they have the potential of being malicious and they exploit this as well … to evade certain security products or email screening software.”
In this campaign, the SCR files have convincing Amazon-themed icons and naming conventions, researchers point out in a writeup of their findings. One of the files contains a VBScript, an archive, a utility to extract it, and a batch file.
The third delivery method is a straightforward VBScript file that is downloaded via a malicious link in the email body. It’s about 2MB in size due to an archive bundled with it, researchers say.
Dridex’s use of these techniques isn’t unusual, Dahan says. The tactics themselves have proved effective for years, and a variety of infections increases the likelihood of successful attacks.
“It’s mainly the idea of not putting all your eggs in one basket,” he explains. “If one technique gets picked up by a certain security product or email filter, they’ll still have other options, so it doesn’t burn out their entire operation.”
Some corporate devices have security policies to block macros from being enabled, for example, and this would disrupt the first attack method.
Source: https://www.darkreading.com/threat-intelligence/amazon-gift-card-scam-delivers-dridex-this-holiday-season/d/d-id/1339810?&web_view=true