{"id":6125,"date":"2021-03-15T16:12:27","date_gmt":"2021-03-15T23:12:27","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6125"},"modified":"2024-04-26T13:20:50","modified_gmt":"2024-04-26T20:20:50","slug":"malspam-campaign-spoofing-shipping-company","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-shipping-company\/","title":{"rendered":"Malspam Campaign Spoofing Shipping Company"},"content":{"rendered":"

Author: Eric Patterson<\/strong>
\nTLP: WHITE<\/strong>
\n <\/p>\n

Overview<\/h3>\n

On 12 March, Infoblox observed a malspam email campaign distributing the Dridex banking trojan via emails spoofing updated\/adjusted invoice notifications from the shipping company Freight Quote.<\/p>\n

Previous Infoblox reporting has highlighted Dridex campaigns distributing malspam masquerading as legitimate emails from organizations such as Intuit and Automatic Data Processing, Inc. (ADP).1,2<\/sup><\/p>\n

Customer Impact<\/h3>\n

Dridex was first discovered in 2011 and has been a prolific banking trojan available on darknet markets.3<\/sup> Threat actors historically favor this malware for larger scale, financially-motivated malspam campaigns.<\/p>\n

Once a victim is infected, Dridex employs its core features of form grabbing and website injections to siphon online banking credentials and pilfer funds from the victims.<\/p>\n

Campaign Analysis<\/h3>\n

Emails in this campaign imitate financial invoices with subject lines similar to: Updated\u00a0 Invoice(s) with Adjustment<\/em>. The fake invoice attachment is a Microsoft Office Excel (XLSM) macro-enabled file following the naming convention: Inv<9-11 digit number>.xlsm<\/em>.<\/p>\n

Attack Chain<\/h3>\n

Downloading and opening the attached XLSM presents the user with a spoofed invoice statement portraying itself to be from Freight Quote. Once the victim enables macros, the Excel document appears to stop responding and prompts the user to close the document.<\/p>\n

During this time, the macro code attempts to beacon to several domains in order to download a stage two payload that would install Dridex on the victim machine. We were not able to download this second stage payload. However, had we been successful, the malware would presumably follow a conventional Dridex execution flow and attempt to hook into legitimate Windows processes to evade detection.<\/p>\n

Once installed, Dridex will attempt to uncover and steal sensitive banking information belonging to the victim and transmit that to one of its active command and control (C&C) channels via secure socket layer (SSL).<\/p>\n

Vulnerabilities & Mitigation<\/h3>\n

Dridex is a banking trojan with credential stealing functions. Infoblox recommends the following methods for detecting, preventing and mitigating Dridex attacks:<\/p>\n