The operators behind Dridex have a nefarious trick up their sleeves this holiday season: A widespread phishing scam promises victims a $100 Amazon gift card but instead delivers the prolific banking Trojan to target machines.
This campaign first appeared around Halloween and picked up in the beginning of November, the Cybereason Nocturnus team reports. Most targets are from the United States and Western Europe, where Amazon is very popular and people may be more likely to fall for a scam like this – especially at a time when online shopping and gift-giving is more prevalent due to COVID-19.
Victims receive an email that claims to be delivering a gift from Amazon: "We are delighted to enclose a $100 Amazon gift card as our way of saying Thank You," a sample message says. The researchers found most emails pretend to come from Amazon, though exact wording may vary.
This email prompts its recipient to download a gift card, which leads to Dridex infection through one of three different methods.
The first delivery vector is a malicious Word document with a variation of "gift card" in the file name. This file requests the victim click "enable content," which runs the macros. This is a common technique used in phishing attacks; embedded macros are usually disabled by default.
If a user enables content, an obfuscated VBScript file is executed. The macro itself contains an obfuscated, base64 encoded PowerShell script that opens a pop-up with a fake error message. This tricks the user into thinking there was an error while the macro runs in the background. The PowerShell connects to the command-and-control (C2) server and delivers the Dride ..
Support the originator by clicking the read the rest link below.
