$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware

silversurfer

Level 83
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,280
Cybercriminals have wasted no time in hopping on the American Rescue Plan – the COVID-19 relief legislation just signed into law – as a lure for email-based scams.

According to researchers at Cofense, a campaign began circulating in March that capitalized on Americans’ interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency’s official logo and a spoofed sender domain of IRS[.]gov – and claim to offer an application for financial assistance. In reality, the emails offer the Dridex banking trojan.

The email says, “It is possible to get aid from the federal government of your choice” and then offers “quotes” for a pie-in-the-sky litany of great (and nonexistent) things – such as a $4,000 check, the ability to “skip the queue for vaccination” and free food.

There’s a button that says, “Get apply form” – if clicked, users are taken to a Dropbox account where they see an Excel document that says, “Fill this form below to accept Federal State Aid.” However, to see this supposed IRS form in its entirety, victims are prompted to enable content. If they do, they trigger macros that set off the infection chain indirectly, according to Cofense.
“While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” Cofense researchers explained, in a posting on Tuesday. “The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”

WMI is a subsystem of PowerShell that gives admins access to system monitoring tools, including the ability to ask for information about anything that exists on a given computer – such as which files and applications are present. It can also request responses to these queries to be given in a certain format.

“The WMI query employed in this case…demands that the dropped .XSL file be used to format the response to the query,” researchers wrote. “This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.”