Dridex is a banking malware which uses macros to spread on windows systems. Spam email attachments are utilized to spread this infection. Banking malware are generally key loggers. They trick users into opening the attachment; it then records the keystrokes on user’s computer and uses them for their own benefit. Recently spotted Dridex engagement contained PDF files as the carrier. Attachment contained invoice or payment receipt.
Subject line is “Copy of your 123-reg invoice (123-458452066 )”
Message body has details about the order placed and they have attached the payment receipt. Support details are given at the end of the mail to make it look genuine and convince the user to open the attachment.
How it spreads on the system:
PDF name – 123-149715480-reg-invoice.pdf
Spreads via spam emails and tricks user to open it, stating payment receipt or invoice.
Here as we can see the docm file 99848 is responsible for infection.
Dridex has changed its propagation method but the action remains the same. Similar way of spreading through Docm file, PDF just acts as a carrier. Stronger technique to identify spam mails and configure stronger firewall policy is a must.
Quick Heal Detection
Subject Matter Expert
• Nayan Vairagi
– Threat Research and Response Team