Dridex, banking malware is currently being used to deceive employees into clicking on malicious Excel documents.<\/p>\n\n\n\n
The malicious documents were sent to employees via fake employee termination emails.<\/p>\n\n\n\n
These emails use the subject line “Employee Termination.” The content informs recipients that their employment will end on December 24th, 2021.<\/p>\n\n\n\n
The email pointed out that “this decision is not reversible.” Embedded in the email is an attached Excel password-protected spreadsheet named ‘TermLetter.xls.”<\/p>\n\n\n\n
As soon as an employee opens the Excel spreadsheet and enters the password, a blurry “Personnel Action Form” appears, asking them to “Enable Content” to display it properly.<\/p>\n\n\n\n
Once activated, the victims receive a “Merry X-Mas Dear Employees!” pop-up message. Unknown to the victims, a malicious HTA file was stored in the C:\\ ProgramData folder during the process. HTA contains a malicious VBScript that downloads Dridex from Discord to infect the device.<\/p>\n\n\n\n
In order to mitigate this type of attack, users who receive such emails are advised to contact their human resources department or employees before opening the email.<\/p>\n\n\n