The latest spam campaign is equipped with the Dridex banking malware and targeting company accountants through deceptive emails.
According to Heimdal Security, this spam email is an unauthentic scanned document, which actually is a macros-enabled.doc.
The email attempts to pass as a genuine one under the subject title “Scanned from a Xerox Multifunction Printer.” The email also informs the receiver that the document has been scanned and directly sent to the recipient from the printer.
When or if the email is opened, the document instantly retrieves Dridex from numerous compromised web pages.
This attack although isn’t very different from any such spam campaign but it is much more “refined and stealthy” in its mechanism of hacking, says the CEO of Heimdal Security Morten Kjaersgaard.
Kjaersgaard says that “As users we need to constantly remind ourselves that hackers are getting better at what they do. This is serious business and we should consider this a serious threat.”
When the affected web pages were scanned by Heimdal on VirusTotal, just 5 out of over 20 antivirus solutions identified the malicious payload.
When Dridex penetrates into the victim’s system, it “sleeps” until banking credentials are typed in by the users. The information is immediately sent to the attackers.
Kjaersgaard suggests that a web filtering services should be used on the endpoint along with other conventional security procedures like signature-based detection.
He adds: “I would strongly urge users and companies to be very careful in keeping their software up-to-date and not trusting unlikely inbox items. This Dridex campaign is just the tip of a currently very big, and unfortunately increasing, iceberg.”
In May 2015, we had also reported how Dridex banking malware was delivered via Macro in PDF embedded word document.
So be careful while opening any email that comes with attachments. If you have received any such email contact us and we will get the sender blocked.
HeimdalSecurity