DoppelDridex

By CagedTech in Banking Trojan

Translate To:

A new variant of the Dridex banking Trojan has been observed to be deployed in attack campaigns attributed to the DOPPEL SPIDER cybercrime group. The new version of Dridex was named DoppelDridex and is fetched from well-known content delivery networks (CDNs), such as Slack and Discord. The threat actor also deployed additional second-stage payloads, such as the Cobalt Strike, ensuring their backdoor access to the compromised systems, potential opportunities for lateral movement within the breached network, and escalating the attack by deploying the Grief Ransomware.

The attack begins with the distribution of bait emails carrying corrupted Microsoft Excel Binary Format (XLSB) files. To lure the unsuspecting victims into opening the attachments, the emails typically carry texts implying that an important invoice or tax-related information related to the user is contained inside the files. Triggering the results of the corrupted macro in the execution of a VBScript retrieves the DoppelDridex payload from the Slack or Discord CDN infrastructure controlled by the attackers.

The use of Discord as part of threatening campaigns has been on the rise, and it appears that cybercriminals also are trying to use Slack for the same purposes of staging payloads. These popular CDNs are less likely to be blocked by proxies or other network-based control systems.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

DoppelDridex

Submit Comment

Trending

Safe Search Eng

Findtheirreport.com

MarioLocker Ransomware

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen