News > Xero-Spoofing Phishing Campaign Spreads Dridex Globally
A sophisticated phishing campaign is making the rounds, targeting victims by sending spoofed email messages appearing to come from Xero. If fooled, victims find themselves dealing with a banking trojan (Dridex) and information-stealing activity.
Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. According to researchers Fahim Abbasi and Rodel Mendrez at Trustwave, the imposter messages are well-done, and look like professionally crafted billing messages that recommend that users view their bill invoice online by clicking on the invoice link.
“This is a sophisticated malware sample that performs multiple tasks,” the researchers explained, in an analysis. “It first gathers information about the system, installed applications and users. This is followed by several system wide policy settings and configuration changes for Internet Explorer through the registry. The malware also attempts to hook benign windows processes like whoami.exe and net.exe,” with which it collects system information. This information is stored as XML format and is then encrypted and ex-filtrated to the control server.
And, of course, it drops Dridex, which is designed to steal banking and personal information by injecting itself into web browsers such as Firefox, Chrome and Internet Explorer. It monitors browsing activity and steals sensitive information for target online banks listed in its configuration file.
The campaign is broad-reaching, the researchers said, with scammers sending phishing email messages globally. There are also related campaigns happening, probably by the same group, using Dropbox, Quickbooks and MYOB lures.
“Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims,” the researchers said. “We also observed several similar campaigns throughout the week, targeting customers of other well-known online accounting software companies. Such attacks have emerged as a recent trend on the attack landscape that exploit the trust that people associate with specific brands.”