Fake eFax emails are now spreading Dridex Trojan, RMS RAT

Phishing attachments are dropping a dangerous combination of Trojan and remote access tool.
Written by Charlie Osborne, Contributing Writer

The Dridex banking Trojan is being deployed in a new phishing campaign which combines the malware with a remote access tool for the purpose of credential and information theft. 

Researchers from Cofense said this week that the new campaign is impersonating eFax, a modern, cloud-based variant of the traditional fax machine which is used by businesses to receive faxes across email and mobile devices. 


Example phishing email

The phishing emails crafted for this wave of attacks include an attached .ZIP archive which contains an .XLS Microsoft Excel spreadsheet. 

The spreadsheet is malicious as it contains an Office macro which, should a victim enable when prompted, will download and execute both Dridex and the Remote Manipulator System Remote Access Tool (RMS RAT).

The combination of both tools creates an interesting and sophisticated means of attack. 

Dridex, a banking Trojan -- of which latest strains have been able to avoid detection by traditional antivirus products -- is able to steal bank credentials through browser sessions. 

Dridex uses a number of web injection scripts to compromise browser sessions, including some which previously belonged to the Zeus banking Trojan. The first type of script used by the malware is able to hide or display content on web pages, such as requesting additional information to 'verify' a user accessing their bank account. 

The second monitors the websites a victim visits, and the third script contains information-gathering functionality and is downloaded from a remote host. These scripts are hard-coded into the original malicious binary. 

See also: This Trojan exploits antivirus software to steal your data

Cryptocurrency websites including Coinbase, banking services such as hsbc.co.uk and synovus.com, as well as e-commerce platforms including PayPal and BestBuy are all targeted by the malware.  

The Dridex script obtained from Zeus creates a duplicate attack list including a number of domains such as PayPal and Amazon. 

"By using multiple types of web injects, and in some cases duplicating websites of other web injects, the threat actors have a wide variety of possible targets at their disposal," Cofense says. "Using both old and new web injects can also help threat actors target information even when the structure of the web pages' URL has changed over time."

CNET: Your Mac could be hijacked through major security flaw in Zoom conferencing app

The further addition of RMS RAT, a legitimate utility repurposed for malicious activity, creates a scenario where Dridex's capabilities are enhanced to both compromise and remotely manage infected systems. 

The remote access tool is able to log keystrokes, record audio and visual footage from cameras and microphones, transfer files, and also tamper with Windows Task Manager and utilities. 

A security issue caused by the malware package is the fact that legitimate components are in use and this could mean the threat is not immediately detected by traditional antivirus programs. 

TechRepublic: Why Apple should follow Microsoft's move to get rid of passwords

"The dual-pronged attack, in this case, provided the threat actors with multiple methods of compromise, access to data, and some resistance to traditional endpoint protections," Cofense says. "RMS RAT provided remote access, keylogging, and credential stealing. And using different types of web injects enabled threat actors to utilize some of the features of Zeus to improve the capabilities of Dridex."

A full list of Indicators of Compromise (IoCs) has been provided by Cofense

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards