New malspam campaign delivers Dridex trojan and RMS RAT

• RMS RAT is a legitimate remote control utility which is being used by bad actors for various nefarious activities because of its capabilities.
• Dridex is a banking trojan which also uses web injects when visiting a targeted website.

Researchers from Cofense have uncovered a new malspam campaign that delivers Dridex banking trojan and Remote Manipulator System Remote Access Tool (RMS RAT) via malicious Microsoft Word document attachments.

How does it work?

• The phishing emails include malicious ZIP archived XLS Microsoft Excel documents disguised as fake eFax messages.
• The malicious documents are embedded with a macro which is designed to download and launch the Dridex trojan and RMS RAT.
• Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems.

What does the phishing email say?

“Hello

You have received a 11 pages fax a <day> <date> <time>. The reference number for this fax is [eFax-<10 digits>]

To view the fax, download attached archive with document inside and open with Microsoft Office Word. Password for a personal document - ******

Please contact us if you have any problem with this fax,” the phishing email read, BleepingComputer reported.

What is the RMS RAT?

• RMS RAT is a legitimate remote control utility which is being used by bad actors for various nefarious activities because of its capabilities.
• Its capabilities include logging keystrokes, recording from the webcam or microphone, transferring files, as well as manipulating Windows Task Manager and other Windows utilities.
• Furthermore, since RMS RAT is a legitimate remote control software, most antivirus solutions will not detect it as malicious.

What is the Dridex trojan?

Dridex is a banking trojan which also uses web injects when visiting a targeted website. This is done by injecting the data-pilfering script into the web browser, enabling the malware to steal any info typed by the victim, as well as bypassing security questions and multi-factor authentication, and redirecting traffic.

Researchers noted that in this malspam campaign, the web injects used by the Dridex trojan were hardcoded within the trojan.

“In this case, the web injects used by Dridex were unusual because of both the large number of possible web inject scripts and the fact that some of the web injects were labeled as being from the Zeus banking trojan,” wrote the researchers.

Use of web injects

Researchers noted that three types of web inject were used in this campaign.

• The first type of web inject was used to hide or display content on certain web pages, making it possible to insert additional requests for personal questions used to verify banking accounts.
• The second type used in this campaign monitors the URLs visited by the browser and downloads additional files.
• The third type is downloaded from a remote host and includes additional capabilities such as greater information-gathering capacity.

Who are the targets?

The first type of web inject target cryptocurrency websites and banking websites. While the second type targets e-commerce websites. The cryptocurrency, banking, and e-commerce websites targeted in this campaign include Coinbase, HSBC, Synovus, PayPal, and Best Buy, among others.

“The final set of web injects are tagged as “Zeus” injects. The use of these injects is particularly unusual because several of the targeted websites overlap with those in other web injects, such as paypal[.]com and amazon[.]com,” noted the researchers.