DoppelDridex Description

A new variant of the Dridex banking Trojan has been observed to be deployed in attack campaigns attributed to the DOPPEL SPIDER cybercrime group. The new version of Dridex was named DoppelDridex and is fetched from well-known content delivery networks (CDNs), such as Slack and Discord. The threat actor also deployed additional second-stage payloads, such as the Cobalt Strike, ensuring their backdoor access to the compromised systems, potential opportunities for lateral movement within the breached network, and escalating the attack by deploying the Grief Ransomware.

The attack begins with the distribution of bait emails carrying corrupted Microsoft Excel Binary Format (XLSB) files. To lure the unsuspecting victims into opening the attachments, the emails typically carry texts implying that an important invoice or tax-related information related to the user is contained inside the files. Triggering the results of the corrupted macro in the execution of a VBScript retrieves the DoppelDridex payload from the Slack or Discord CDN infrastructure controlled by the attackers.

The use of Discord as part of threatening campaigns has been on the rise, and it appears that cybercriminals also are trying to use Slack for the same purposes of staging payloads. These popular CDNs are less likely to be blocked by proxies or other network-based control systems.