Malicious Microsoft office macros downloading Dridex trojan (January 12, 2015)

The Dell Sonicwall Threats team has recently came across a scam luring the innocent victims to turn on macros in Microsoft Office, thus downloading Dridex trojan through the malicious macros.

Infection Cycle:

The spam email spreads this threat with the subjects such as

The attachment is an Excel sheet (attachment.XLS)(detected as GAV: Downloader.DA ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.

Once the macros are enabled, the user still cannot see any content on the excel sheet it has three empty tabs with Russian or cyrilic characters.

On the background, the malware tries to establish HTTP connection

It then downloads an executable LNUDTUFLKOJ.exe [detected as GAV: Dridex.VVPT.

This trojan tries to steal information from the victim’s machine post it to the remote Command & Control servers.

The decrypted post message is as follows:

The Dell SonicWall threats team urges users to not fall for these scams. SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Downloader.DA (Trojan)
• GAV: Dridex.VVPT (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.