Products
Products
Detection
Detection
Cofense Protect
Cofense PhishMe
Cofense LMS
Cofense Reporter
Response
Detection
Cofense Triage
Cofense Vision
Integration
Response
Cofense Intelligence
Cofense Validator
Managed Services
Intelligence
Managed PDR
Protect MSP
Solutions
Solutions
Solutions by Industry
Solutions By Industry
Critical Infrastucture
Financial Services
US Federal Government
Healthcare
Higher Education
Legal & Professional Services
Manufacturing
Energy/Utilities
Technology
Retail
Solutions by Topic
Solutions by Topic
Incident Response
Security Awareness Training
Compliance Resources
Election Security
Anti-Phishing
Phishing Training
Solutions by Role
Solutions by Role
Security Leadership
Security Partners
Security Specialists
Incident Response
Threat Intelligence
Security Awareness
About Cofense
About Cofense
Our Company
Our Company
About Us
Awards
Investors
Careers
News Center
Cofense Labs
Leadership
Leadership
Management Team
Board of Directors
Free Tools
Free Tools
Build Resilience
Build Resilience
Create Transparency
Create Transparency
Speed Response
Speed Response
Resources
Resources
Resource Library
Resource Library
All Resources
Whitepapers
Videos
Infographics
On-Demand Webinars
Podcasts
Events
Knowledge Center
Resources by Topic
Resource by Topic
Ransomware
Sextortion
Business Email Compromise
Cybersecurity Awareness Month
Community & News
Community & News
Email Gateway Infocenter
Coronavirus Infocenter
Remote Work Infocenter
Cofense CBFree
Phish Found in Environments Protected by SEGs
Request a Demo

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Awareness Toolkit

Webinars

Free Tools

All Resources

“American Rescue Plan” Used as Theme in Phishing Lures Dropping Dridex

Phishing | March 16, 2021

Phish Found in Environments Protected by SEGs

Mimecast

Proofpoint

Symantec MessageLabs

By Max Gannon

In the first week of March, Cofense saw distribution of an advanced phishing campaign taking advantage of current events to deliver malware. Although distribution is currently limited, this kind of lure could become more prevalent given the current tax season and interest in the American Rescue Plan.

The campaign in question, shown in Figure 1, impersonates the IRS using both the relevant logo and what appears to be the spoofed sender domain of IRS[.]gov.

Email Breakdown

A close examination of the email shows a few suspicious characteristics. The first is that the sender domain is in fact lrs[.]gov, using a lower-case L rather than an upper-case i. The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication. Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.

Figure 1: Original Email

Delivery Chain

When victims attempt to get an application form, they are directed to download an Excel spreadsheet from Dropbox. Much like the email, the spreadsheet is appropriately themed and convincing enough for some users to download it, open it and then enable macros.

Graphical user interface, application Description automatically generated

Figure 2: Dropbox Hosted File

While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script. The macros used by the .xlsm files drop an .xsl file to disk and then use a Windows Management Instrumentation (WMI) query to gather system information. A typical WMI query used to gather such information would employ a command line expression such as “/format:list” (see Figure 3) to display the information in a readable format.

Secure gateways miss phish; find out which ones fail, and how.

See the Examples

Graphical user interface, application Description automatically generated

Figure 3: List Formatted Query Response

The WMI query employed in this case, however, demands that the dropped .xsl file be used to format the response to the query. This formatting directive allows JavaScript contained in the .xsl file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell. The query “formatted” from the .xsl file shown in Figure 4 demonstrates that the .xsl file used for formatting certainly isn’t intended to make things more readable.