Cybercriminals have wasted no time in hopping on the American Rescue Plan – the COVID-19 relief legislation just signed into law – as a lure for email-based scams.
According to researchers at Cofense, a campaign began circulating in March that capitalized on Americans’ interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency’s official logo and a spoofed sender domain of IRS[.]gov – and claim to offer an application for financial assistance. In reality, the emails offer the Dridex banking trojan.
The email says, “It is possible to get aid from the federal government of your choice” and then offers “quotes” for a pie-in-the-sky litany of great (and nonexistent) things – such as a $4,000 check, the ability to “skip the queue for vaccination” and free food.
There’s a button that says, “Get apply form” – if clicked, users are taken to a Dropbox account where they see an Excel document that says, “Fill this form below to accept Federal State Aid.” However, to see this supposed IRS form in its entirety, victims are prompted to enable content. If they do, they trigger macros that set off the infection chain indirectly, according to Cofense.
The email lure. Source: Cofense.
“While static analysis easily identifies the URLs used to download malware in this case, automated behavioral analysis may have trouble recognizing the activity as malicious because it does not use macros to directly download malware or run a PowerShell script,” Cofense researchers explained, in a posting on Tuesday. “The macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information.”
WMI is a subsystem of PowerShell that gives admins access to system monitoring tools, including the ability to ask for information about anything that exists on a given computer – such as which files and applications are present. It can also request responses to these queries to be given in a certain format.
Since its first appearance in 2011, the Dridex malware (a.k.a. Bugat and Cridex) has been deployed via phishing emails and generally targets banking information. After capturing banking credentials, it endeavors to make unauthorized electronic funds transfers from unknowing victims’ bank accounts.
By 2015, the malware was one of the most prevalent financial trojans in the wild, particularly when it came to targeting corporate employees; while later versions of the malware were designed with the added function of assisting in the installation of ransomware. It has also enhanced its obfuscation capabilities over time.
In December 2019, authorities cracked down on Russian-speaking cybercrime group Evil Corp. with sanctions and charges against its leader, Maksim Yakubets, known for his lavish lifestyle. U.S. authorities are still offering up to $5 million for information leading to his arrest; they allege that Yakubets and Evil Corp. have stolen millions of dollars from victims using the Dridex banking trojan and Zeus malware.
This latest campaign is convincing, researchers said – to a certain extent. One sneaky trick the attackers use is that the email domain is lRS[.]gov – but with a lower-case ‘L’ rather than an upper-case ‘I.’
However, phrasing like “Federal State Aid” (federal and state aid are two different things) and off grammar such as “the federal government of your choice” should set off warning bells.
“A close examination of the email shows a few suspicious characteristics,” according to Cofense. “The phrasing within the document, while not clearly as bad as something auto-translated from another language, still has some mistakes that are unexpected from what purports to be a government communication.”
They added, “Despite those issues, this campaign is likely to entice the average user who’s in a hurry to learn more about the rescue plan.”
To avoid becoming a victim, users should hone their phishing-recognition skills, such as scanning for slight differences between legitimate and spoofed domains. And for businesses, “as a general rule, WMI and PowerShell should be carefully monitored on most workstations,” Cofense recommended.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: