Dridex is Sending Out Termination Letters and Fake COVID Notices

The latest Dridex phishing campaign has been using various hot topics to lure its victims, including COVID-19 funeral assistance and employee termination letters. Regardless of the message’s contents, the purpose of the email is to get the reader to click on an attachment, which is typically in Excel or Word format. Opening this document installs malicious code on the victim’s computer, which then performs a variety of actions.

The first known Dridex attack occurred in 2012, and it had become one of the most common financial Trojans by 2015. Analysts expect malicious actors to continue targeting financial institutions and their customers with Dridex for the foreseeable future.

Dridex email message are more effective than many other phishing schemes due to the efforts used to make them appear authentic. These messages generally use legitimate business names, domains and professional terminology. The content is also carefully chosen to create a sense of urgency with the reader, often by relying on current events. The sender’s email address usually appears legitimate because it’s something like name@domain.com, admin@domain.com or support@domain.com. In addition, the subject line and attachment title contains words such as “debit note,” “invoice,” “order” and “receipt,” which tend to get the reader’s attention. The use of multiple points of contact provides further credibility for the reader.


Security researchers from MalwareHunterTeam and 604Kuzushi reported on December 25, 2021 that attackers are using the COVID-19 Omicron variant to troll its victims. The message has a subject line that reads something like “COVID-19 Test Results,” with a message body that informs them they were exposed to a coworker who has Omicron variant.

The message also provides the password to open the attached Excel document. Once the victim clicks on the attachment and enters the password, a blurred document is displayed, and the victim is prompted to “Enable Content.” The malware embedded in the document then displays an alert that includes a fake number for a COVID-19 Funeral Assistance Helpline.

Termination Letter

In this variant of the Dridex campaign, the email message informs recipients that their employment will end on December 24, 2021, and this decision is irrevocable. A password-protected Excel spreadsheet is attached to the message, which contains the campaign’s payload. Opening the spreadsheet and entering the password displays a blurred form entitled “Personnel Action” that prompts readers to enable the content. If they do, the attachment displays a popup alert that reads something like “Merry X-Mas Dear Employees!.”

This action also executes malicious Excel macros that perform various actions such as launching an HTML Application (HTA) file with a random name. This file appears to be a Rich Text Format (RTF) file, but it’s actually a VBScript that downloads Dridex and a troll message from a Discord server. Once installed, Dridex performs malicious actions such as stealing the victim’s credentials and installing other malware.

Other Variants

Dridex has trolled for victims in various ways since its first appearance in 2012. In addition to Covid and employment terminations, Dridex attacks have also used racist and anti-Semitic content to persuade readers into opening the attachment. Furthermore, these campaigns have used methods to install Dridex that don’t rely on the user to take direct action. In December 2021, malicious actors installed Dridex by exploiting a vulnerability in the Log4j Java-based logging utility.

Dridex campaigns are taking advantage of current events to increase the likelihood that the recipients of their emails will open the attachment. Regardless of the specific message, the attachment contains the campaign’s payload. In the case of Dridex, attackers have remained particularly flexible in the message they use. Despite the ever-changing content, experts continue to recommend the standard practice of not opening email attachments until verifying the sender.

Stack of papers with pen, glasses and Termination text flickr photo by wuestenigel shared under a Creative Commons (BY) license

The post Dridex is sending out Termination Letters, Fake Covid Funerals appeared first on CHIPS


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.