Cloud Threats Memo: Dridex Phishing Posing as COVID-19 Relief

Not even seven days after its public release, the American Rescue Plan Act has already been exploited by cybercriminals. This is the latest example of using a relief measure as bait for phishing or malware delivery.

To go into more detail, a recent campaign is impersonating the US Internal Revenue Service, using their official logo and a spoofed domain. The email purports to offer an application for financial assistance, but in reality, the $4,000 stimulus check offered hides the Dridex banking trojan, delivered by exploiting a legitimate cloud service within the kill chain. Legitimate cloud services are implicitly trusted by the user and able to bypass legacy security technologies that don’t have instance detection capabilities and can’t perform TLS decryption at scale. Moreover, they offer an easy-to-setup infrastructure for the attackers.

The message contains a “Get apply form” button that, if clicked, takes the victim to a Dropbox account where an Excel document must be downloaded. You can easily imagine how the rest of the story goes: in order to read the document the user must enable the content of the document and this operation triggers the next steps of the infection chain, downloading an additional XLS document that exploits the Windows Management Instrumentation (WMI) to execute its Javascript code and retrieve the Dridex malware payload.

How Netskope Mitigates This Threat

Dropbox is one of the 2000+ services for which the Netskope Next Gen SWG can provide granular access control and instance detection. Netskope customers can easily configure a policy that applies a block or a user alert in case of potentially dangerous activities (such as download) performed on non-corporate cloud storage services, or non-corporate instances of approved cloud services.

Additionally, customers with the advanced threat protection license can leverage the machine learning engine to detect Office documents containing malicious macros, regardless of where they are downloaded from, whether it’s a traditional domain or a legitimate cloud service exploited by the threat actors to bypass legacy defenses.

Stay safe!