Dridex spread via phishing scam

by Gabriel E. Hall - -

There has been a new phishing campaign that disguises itself as a legitimate accounting software Xero[1] by sending fake emails to unsuspecting users.[2] This raises a lot of concerns as the ones fooled can get infected with a malicious Trojan called Dridex[3], which can steal some sensitive information regarding banking details.

Phishing scam

Xero is an application for accounting that helps people save time by providing a lot of useful tools. It is based in New Zealand and does not have any malicious intentions on its own. However, scammers can potentially ruin the reputation of really good products.

There are a lot of infected computers all over the globe, as Xero is quite widely used. Unfortunately, this phishing case is not the only one, as there are other similar cases discovered. Possibly the same scammers are using MYOB, Dropbox, and Quickbooks in order to infect even more devices, as they try to use popular brands that users trust.[4]

The actual phishing scam itself is implemented through emails, which claim that there is a billing invoice link attached. It encourages its victims to open the bill and view the payment details.

In order to appear legitimate, the hackers put some real links to the email, which lead to the original Xero website. What is more, the actual email was made to look like a real one, written professionally and appearing to be serious. The only fake link is the one redirecting to the supposed invoice.

Once clicked, the link leads its victim to a fake site that looks like the real Xeno page, where users can download a Zip folder. In this folder, there is a threatening JavaScript file, which is responsible for the actual infection.

When opened, the file collects sensitive info and useful details about the OS. Then, the JavaScript file performs a few changes to the Internet Explorer browser. Also, it starts collecting the user’s information with the help of net.exe and whoami.exe, which otherwise would not be dangerous on their own.

The data that were gathered are then encrypted and sent to a malicious server.

However, maybe the biggest threat from all of this is Dridex (also called Bugat and Cridex), a piece of Trojan malware[5] designed to steal banking information in order to perform illegal transactions. It is usually spread via email attachments. Dridex steals the info by infiltrating itself into Chrome, Internet Explorer, and Firefox browsers.

To avoid similar threats, don’t trust any emails immediately, even if they seem to have come from a reputable source. Be extremely careful about opening links and attachments that come with a letter. The best safety measure, however, is having an up-to-date anti-malware program that would detect even zero-day threats.

About the author

Gabriel E. Hall
Gabriel E. Hall - Antivirus software specialist

Gabriel E. Hall is an antivirus software specialist at Reviewedbypro.com.

Contact Gabriel E. Hall
About the company Esolutions


now online
Like us on Facebook