“American Rescue Plan” Used as Theme in Phishing Lures Dropping Dridex

Share Now


By Max Gannon

In the first week of March, Cofense saw distribution of an advanced phishing campaign taking advantage of current events to deliver malware. Although distribution is currently limited, this kind of lure could become more prevalent given the current tax season and interest in the American Rescue Plan.

The campaign in question, shown in Figure 1, impersonates the IRS using both the relevant logo and what appears to be the spoofed sender domain of IRS[.]gov.

Email Breakdown

A close examination of the email shows a few suspicious characteristics. The first is that the sender domain is in fact lrs[.]gov, using a lower-case L rather than an upper-case i. The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication. Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.

Figure 1: Original Email

Delivery Chain

When victims attempt to get an application form, they are directed to download an Excel spreadsheet from Dropbox. Much like the email, the spreadsheet is appropriately themed and convincing enough for some users to download it, open it and then enable macros.

Graphical user interface, application Description automatically generated

Figure 2: Dropbox Hosted File

While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .xlsm files drop an .xsl file to disk and then use a Windows Management Instrumentation (WMI) query to gather system information. A typical WMI query used to gather such information would employ a command line expression such as “/format:list” (see Figure 3) to display the information in a readable format.

Graphical user interface, application Description automatically generated

Figure 3: List Formatted Query Response

The WMI query employed in this case, however, demands that the dropped .xsl file be used to format the response to the query. This formatting directive allows JavaScript contained in the .xsl file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell. The query “formatted” from the .xsl file shown in Figure 4 demonstrates that the .xsl file used for formatting certainly isn’t intended to make things more readable.

Graphical user interface, text, application Description automatically generated

Figure 4: Malicious .xsl Formatted Query Response

In the case of this campaign, the resulting malware was Dridex. It primarily acts as a banking Trojan but has many other capabilities as well.


The first step in mitigation for this and other similarly advanced attacks is to train employees to watch for common signs of phishing. For example, employees can condition themselves to scan for slight differences between legitimate and spoof domains, such as irs[.]gov versus lrs[.]gov. Similar campaigns, which spoofed a prominent car company, appeared legitimate other than the sender domain replaced the letter “l” with the number “1”. In this specific case, stopping to think before clicking the link would provide time for recipients to realize the IRS is not going to send something like this via email. The unusual usage of .xsl files for script processing has been written up by MITRE here, including mitigation and detection advice. As a general rule, WMI and PowerShell should be carefully monitored on most workstations.

Managed Defense and Response

Campaigns like this can be headed off with tools built for threats and tactics designed to evade secure email gateways (SEGs). This campaign illustrates how automated systems – such as those identified at the top of this article – fail to outperform humans, and the network effect of people as sensors, spotting and reporting suspicious email.

Cofense is uniquely positioned to catch phish that have turned up in environments protected by SEGs. With the Cofense Managed Phishing Detection and Response platform, provided through our Phishing Defense Center (PDC), enterprises benefit from our complete view of real phishing threats. In five years, no customer using the Cofense PDC has experienced a breach resulting from a phishing attack.

We’re ready to help you better secure your business. Contact us today to discuss your objectives and best solutions.

Indicators of Compromise

Office Macro Payload URLs
Dridex Command and Control Hosts
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on wpml.org as a development site.