Throughout September, researchers at Forcepoint have been monitoring a malicious actor running an email-based malware campaign that uses a novel delivery mechanism to drop the previously hibernating Dridex Trojan.
Having experienced a quiet period Dridex is back with enhancements to the technique used in the email attachment and its ability to blacklist security researchers and commercial sandboxes.
In this campaign, emails masquerade as the Canadian Revenue Agency (CRA) claiming that the recipient has an outstanding tax payment but the attachment technique used is very unusual. The attached MSG file contains an embedded OLE object with a spoofed name, which is actually a JS Downloader, rather than another MSG attachment. Once the payload is executed a trojan is downloaded. The complexity of this format makes it difficult for security products to detect. Carl Leonard, principal security analyst at Forcepoint commented below.
Carl Leonard, Principal Security Analyst at Forcepoint:
“Forcepoint analysis has determined the malware payload to be DELoader (aka Terdot) which when executed downloads a Zeus variant banking Trojan. Zeus (aka ZBot) is an infamous banking Trojan which intercepts and modifies banking traffic to perform fraudulent transactions.
Seen previously in attacks against German nationals, DELoader was previously thought to be a generic downloader but we can now confirm it is only used to download this specific ZBot variant. By extracting and decrypting the Zeus configuration file, we have been able to obtain the list of banks it targets, these are mostly Canadian but some US and Australian too.”
The widespread use of the Zeus code base reveals its popularity amongst malware developers who are interested in creating a quick and easy banking Trojan. Forcepoint urges all regions to be alert, to take care when opening attachments and to ensure senders are verified.
More information on this is available on the Forcepoint blog: https://blogs.forcepoint.com/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.