“American Rescue Plan” Used as Theme in Phishing Lures Dropping Dridex
By Max Gannon
In the first week of March, Cofense saw distribution of an advanced phishing campaign taking advantage of current events to deliver malware. Although distribution is currently limited, this kind of lure could become more prevalent given the current tax season and interest in the American Rescue Plan.
The campaign in question, shown in Figure 1, impersonates the IRS using both the relevant logo and what appears to be the spoofed sender domain of IRS[.]gov.
Email Breakdown
A close examination of the email shows a few suspicious characteristics. The first is that the sender domain is in fact lrs[.]gov, using a lower-case L rather than an upper-case i. The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication. Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.
Figure 1: Original Email
Delivery Chain
When victims attempt to get an application form, they are directed to download an Excel spreadsheet from Dropbox. Much like the email, the spreadsheet is appropriately themed and convincing enough for some users to download it, open it and then enable macros.
Figure 2: Dropbox Hosted File
While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .xlsm files drop an .xsl file to disk and then use a Windows Management Instrumentation (WMI) query to gather system information. A typical WMI query used to gather such information would employ a command line expression such as “/format:list” (see Figure 3) to display the information in a readable format.
Secure gateways miss phish; find out which ones fail, and how.
Figure 3: List Formatted Query Response
The WMI query employed in this case, however, demands that the dropped .xsl file be used to format the response to the query. This formatting directive allows JavaScript contained in the .xsl file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell. The query “formatted” from the .xsl file shown in Figure 4 demonstrates that the .xsl file used for formatting certainly isn’t intended to make things more readable.