Fired via email right before Christmas? Careful! You could be a victim of the deadly Dridex

Sad face emoji on blue background with you are fired text

If you receive an email for your job termination right before Christmas, you should be extra careful. There is a new Dridex phishing campaign going on that is apparently sending such fake employment termination emails to its potential victims. This phishing attack was discovered by security researcher and Twitter user @ffforward.

You can see the email image below that comes with an attached Excel file with the name "TermLetter", probably meant as an abbreviation for Termination Letter.

Dridex phising attack

The email says that the employment of the person concerned ends on December 24th, a day before Christmas, and is meant to be a shocker for the reader so that the victim downloads and opens the Excel file with the provided password.

The Excel then asks the victim to Enable Content and a "Merry Xmas" message pops up to add salt to the wounds of the unbeknownst victim.

Dridex phising attack
Dridex phising attack Xmas wish troll

When the victim enables content, a malicious HTA file with VBScript disguised as an RTF file is created and launched inside the C:\ProgramData folder. This folder is generally hidden and needs to be unhidden to see the contents inside.

Dridex phising attack malicious VBScript HTA file

This HTA malware file goes on to download Dridex from the Dridex Discord server. Apparently, the malicious file has been jokingly named by the threat actors as "jesusismyfriend.bin". Post-installation, Dridex proceeds to steal credentials and download other malware on the infected device.

Fake email and malicious HTML injections have been made by Dridex in the past too. For example, here is one from back in 2016.

Source and images: @ffforward (Twitter) via BleepingComputer

Report a problem with article
ecovacs deebot
Next Article

Save up to $310 on Ecovacs DEEBOT Robot Vacuums with Deal of the Day

echo 4th gen
Previous Article

Amazon thinks some of its customers are getting bored of their Echo devices

Join the conversation!

Login or Sign Up to read and post a comment.

18 Comments - Add comment