"$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware"

Researchers at Cofense have discovered that cybercriminals have wasted no time in hopping on the COVID-19 relief legislation just signed into law (American Rescue Plan) as a lure for email-based scams.  A campaign began circulating in March that capitalized on Americans’ interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency’s official logo and a spoofed sender domain of IRS[.]gov.  The email claims to offer an application for financial assistance. In reality, the emails provide the Dridex banking trojan.  The email says, “It is possible to get aid from the federal government of your choice,” and then offers “quotes” such as a $4,000 check, the ability to skip the queue for vaccination, and free food.  There is a button in the email that says, “Get apply form,” and if the user clicks the button, then users are taken to a Dropbox account where they see an Excel document that says, “Fill this form below to accept Federal State Aid.” However, to see this supposed IRS form in its entirety, victims are prompted to enable content. If they do, they trigger macros that set off the infection chain indirectly.  The researchers stated that the macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.  The WMI query employed in this case demands that the dropped .XSL file is used to format the response to the query.  This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.

Threatpost reports: "$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware"