A noteworthy threat group, TA575, has been observed using holiday-themed lures in its recent attack campaigns. The main goal of the campaigns is to lure victims into downloading the banking trojan, Dridex.
What has happened?
Researchers from Proofpoint have observed multiple campaigns between November and December.
- The campaigns have targeted multiple industries, including education, local government, manufacturing, insurance, and finance in the U.S.
- The group sent a number of different emails and malicious docs.
- Spam emails used subjects such as “Black firday and Cyber Monday Survey Scam alert” and “Christmas tips: Preparing for Holydays” (with the notable spelling errors for Friday and Holidays).
November activities
In November, the spam emails spread malicious Microsoft Excel file attachments. If a user opens the file, the XL4 macros are downloaded and Dridex gets executed with affiliate id "22201" from a URL.
- In the same month, the campaign later shifted to Dridex affiliate ID "22202" from Discord URLs. The attackers used Discord's content delivery network to host and spread the banking trojan in other campaigns.
- Further, the threat group shifted away from religious themes used in 2020 and started targeting users looking for discounts and fears of being scammed this holiday season.
December activities
In December, it used Microsoft Excel and Word attachments to spread Dridex via HTA files, remote templates, and Discord URLs.
- The campaign used Dridex affiliate IDs "22201" and "22204."
- Additionally, the emails combined themes and used both approaching holidays and the new year with the U.S. tax filing preparation and spoofing well-known do-it-yourself tax services.
Conclusion
The TA575 group is taking advantage of current events and fooling victims with fake offers and promises. Thus, users should always stay vigilant in the festive season, when cybercriminals often send spam emails with such lures. For better protection, use web-based email gateways and install reliable anti-malware solutions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_399778786.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f8a2_shutterstock_78828187.jpeg)
