If you receive an email for your job termination right before Christmas, you should be extra careful. There is a new Dridex phishing campaign going on that is apparently sending such fake employment termination emails to its potential victims. This phishing attack was discovered by security researcher and Twitter user @ffforward.
You can see the email image below that comes with an attached Excel file with the name "TermLetter", probably meant as an abbreviation for Termination Letter.
.jpg){kind=link}
The email says that the employment of the person concerned ends on December 24th, a day before Christmas, and is meant to be a shocker for the reader so that the victim downloads and opens the Excel file with the provided password.
The Excel then asks the victim to Enable Content and a "Merry Xmas" message pops up to add salt to the wounds of the unbeknownst victim.
| | |
.jpg){kind=link}
.jpg){kind=link}
When the victim enables content, a malicious HTA file with VBScript disguised as an RTF file is created and launched inside the C:\ProgramData folder. This folder is generally hidden and needs to be unhidden to see the contents inside.
.jpg){kind=link}
This HTA malware file goes on to download Dridex from the Dridex Discord server. Apparently, the malicious file has been jokingly named by the threat actors as "jesusismyfriend.bin". Post-installation, Dridex proceeds to steal credentials and download other malware on the infected device.
Fake email and malicious HTML injections have been made by Dridex in the past too. For example, here is one from back in 2016.
Source and images: @ffforward (Twitter) via BleepingComputer