Dridex is active again; it has returned with phishing attacks masquerading as QuickBooks invoices. This ongoing phishing campaign started on April 19, and it targets users of the accounting software to infect their devices.

What has happened?

The recent attacks were identified by Bitdefender Antispam Lab, in which the attackers launched an Intuit-themed malspam campaign, targeting QuickBooks users with fake invoices and payment notifications.
  • The phishing campaign targets QuickBooks users all around the world. So far most of the malicious emails were observed in the U.S. (14%), followed by Germany, South Korea, and India (11%).
  • In addition, other targeted countries belonged to Europe, such as France and the U.K (7%); Italy (4%); Sweden (3%), and Belgium, Canada, Switzerland, Austria, and the Netherlands (2%).
  • Half of the spoofed emails originated from IP addresses in Italy and forged the QuickBooks header to add a touch of legitimacy. To avoid various detection tools, the attackers played with sender names and subject lines.
  • Moreover, the attackers created a custom email body in an attempt to bypass anti-phishing and anti-spam mechanisms. The emails have an Excel file carrying a hidden threat.

Recent Dridex activity

The primary objective of the Dridex banking trojan is to steal banking information from infected victims.
  • A month ago, a scam campaign was identified sending emails impersonating the IRS and delivering Dridex.
  • In addition, an increase was discovered in Dridex-related network attacks, that was fueled by the Cutwail botnet.


Emails purporting to be regular QuickBooks invoices received by small businesses or organizations can have severe security outcomes. Therefore, organizations should understand the risks of such threats and provide training to their employees to identify phishing emails and deploy reliable anti-malware.

Cyware Publisher