Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Xero-Spoofing Phishing Campaign Spreads Dridex Globally

A sophisticated phishing campaign is making the rounds, targeting victims by sending spoofed email messages appearing to come from Xero. If fooled, victims find themselves dealing with a banking trojan (Dridex) and information-stealing activity.

Xero is a New Zealand-based software company that develops cloud-based accounting software for small and medium-sized businesses. According to researchers Fahim Abbasi and Rodel Mendrez at Trustwave, the imposter messages are well-done, and look like professionally crafted billing messages that recommend that users view their bill invoice online by clicking on the invoice link.

The invoice link in the email body points to a URL hosted on the fake Xero domain, while the other URLs point to the legitimate Xero.com site. The malicious link leads to the download of a Zip archive containing a malicious JavaScript file. On execution, this JavaScript downloads and launches the malware.

“This is a sophisticated malware sample that performs multiple tasks,” the researchers explained, in an analysis. “It first gathers information about the system, installed applications and users. This is followed by several system wide policy settings and configuration changes for Internet Explorer through the registry. The malware also attempts to hook benign windows processes like whoami.exe and net.exe,” with which it collects system information. This information is stored as XML format and is then encrypted and ex-filtrated to the control server.

And, of course, it drops Dridex, which is designed to steal banking and personal information by injecting itself into web browsers such as Firefox, Chrome and Internet Explorer. It monitors browsing activity and steals sensitive information for target online banks listed in its configuration file.

The campaign is broad-reaching, the researchers said, with scammers sending phishing email messages globally. There are also related campaigns happening, probably by the same group, using Dropbox, Quickbooks and MYOB lures.

“Attackers are leveraging the simplicity provided by the email infrastructure to distribute banking trojans to global victims,” the researchers said. “We also observed several similar campaigns throughout the week, targeting customers of other well-known online accounting software companies. Such attacks have emerged as a recent trend on the attack landscape that exploit the trust that people associate with specific brands.”

As a mitigation measure, customers should avoid opening any email messages that appear suspicious, especially avoid opening any unknown downloadable files. Customers should also refrain from opening Zip archives that come from unknown sources and avoid executing unknown file formats like JavaScript.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


What’s Hot on Infosecurity Magazine?