Author: Eric Patterson
On 24 September, Infoblox observed a malicious spam (malspam) email campaign distributing the Dridex banking trojan via emails spoofing FedEx package delivery notifications.1
In previously reported Dridex campaigns, the emails masqueraded as notifications from other legitimate companies such as Automatic Data Processing, Inc. (ADP), eFax, and Intuit.2,3,4
Dridex was first discovered in 2011 and has consistently been one of the most prolific banking trojans on the market.5 Threat actors typically favor this malware for large scale, financially-motivated malspam campaigns.
Once a victim is infected, Dridex uses its core functionalities of website injections and form grabbing to siphon online banking credentials and pilfer funds from the victims.
Emails in this campaign imitate FedEx Shipment delivery notifications with subject lines containing FedEx Shipment <fake 12-digit tracking number>: Delivered. The message body itself uses HTML formatting to mimic the layout, format, and style of a standard FedEx delivery email. By all measurable standards, the malicious message body appears identical to legitimate emails sent by FedEx.
The email senders are slight variations of FedEx’s legitimate email accounts.
The email infrastructure for delivering the Dridex malware includes fraudulent sites with a wide range of top-level domains (TLDs). The registration information for the associated domains also makes use of various registrars and nameservers with no discernable pattern or preference.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.