A new Dridex malware phishing campaign is using fake employee termination emails as a lure to open a malicious Excel document, which then trolls the victim with a season’s greeting message.
Dridex is a banking malware spread through malicious emails that was initially developed to steal online banking credentials. Over time, the developers evolved the malware to use different modules that provide additional malicious behavior, such as installing other malware payloads, providing remote access to threat actors, or spreading to other devices on the network.
This malware was created by a hacking group known as Evil Corp, which is behind various ransomware operations, such as BitPaymer, DoppelPaymer, WastedLocker variants, and Grief. Due to this, Dridex infections are known to lead to ransomware attacks on compromised networks.
Dridex affiliate trolls researchers, victims
A Dridex affiliate has been conducting numerous malicious email campaigns over the past few weeks where they troll researchers with email addresses and filenames composed of racist and antisemitic words.
A security researcher known as TheAnalyst discovered that Dridex is again trolling people, but this time it’s the victims who are being sent fake employee termination emails.
These emails use the subject of “Employee Termination” and tell the recipient that their employment is ending on December 24th, 2021, and that “this decision is not reversible.”
The emails include an attached Excel password-protected spreadsheet named ‘TermLetter.xls’ that allegedly contains information on why they are being fired and the password required to open the document.