About Cofense
About Cofense
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

“American Rescue Plan” Used as Theme in Phishing Lures Dropping Dridex

By Max Gannon

In the first week of March, Cofense saw distribution of an advanced phishing campaign taking advantage of current events to deliver malware. Although distribution is currently limited, this kind of lure could become more prevalent given the current tax season and interest in the American Rescue Plan.

The campaign in question, shown in Figure 1, impersonates the IRS using both the relevant logo and what appears to be the spoofed sender domain of IRS[.]gov.

Email Breakdown

A close examination of the email shows a few suspicious characteristics. The first is that the sender domain is in fact lrs[.]gov, using a lower-case L rather than an upper-case i. The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication. Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.

Figure 1: Original Email

Delivery Chain

When victims attempt to get an application form, they are directed to download an Excel spreadsheet from Dropbox. Much like the email, the spreadsheet is appropriately themed and convincing enough for some users to download it, open it and then enable macros.

Graphical user interface, application Description automatically generated

Figure 2: Dropbox Hosted File

While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .xlsm files drop an .xsl file to disk and then use a Windows Management Instrumentation (WMI) query to gather system information. A typical WMI query used to gather such information would employ a command line expression such as “/format:list” (see Figure 3) to display the information in a readable format.

Secure gateways miss phish; find out which ones fail, and how.

Graphical user interface, application Description automatically generated

Figure 3: List Formatted Query Response

The WMI query employed in this case, however, demands that the dropped .xsl file be used to format the response to the query. This formatting directive allows JavaScript contained in the .xsl file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell. The query “formatted” from the .xsl file shown in Figure 4 demonstrates that the .xsl file used for formatting certainly isn’t intended to make things more readable.