On 5 May, Infoblox observed a malicious spam (malspam) campaign using Microsoft Excel (XLS) documents to deliver the Dridex banking trojan via embedded PowerShell commands.
The malspam distributed in this campaign impersonated messages from Intuit, the software company behind TurboxTax and QuickBooks. Aspects of this campaign differ slightly from those we previously reported on, but the goal of stealing credentials has remained the same.1,2
The attachment we observed is an uncompressed, non-password protected XLS file. Once opened, it immediately appears to error out or quit, but does not provide the user with the customary notification that Windows processes have stopped responding. At this point, the file invokes the Windows Management Interface Command (WMIC) to call powershell.exe.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.