Author: Eric Patterson
On 12 March, Infoblox observed a malspam email campaign distributing the Dridex banking trojan via emails spoofing updated/adjusted invoice notifications from the shipping company Freight Quote.
Previous Infoblox reporting has highlighted Dridex campaigns distributing malspam masquerading as legitimate emails from organizations such as Intuit and Automatic Data Processing, Inc. (ADP).1,2
Dridex was first discovered in 2011 and has been a prolific banking trojan available on darknet markets.3 Threat actors historically favor this malware for larger scale, financially-motivated malspam campaigns.
Once a victim is infected, Dridex employs its core features of form grabbing and website injections to siphon online banking credentials and pilfer funds from the victims.
Emails in this campaign imitate financial invoices with subject lines similar to: Updated Invoice(s) with Adjustment. The fake invoice attachment is a Microsoft Office Excel (XLSM) macro-enabled file following the naming convention: Inv<9-11 digit number>.xlsm.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.