Malicious Microsoft office macros downloading Dridex trojan (January 12, 2015)
The Dell Sonicwall Threats team has recently came across a scam luring the innocent victims to turn on macros in Microsoft Office, thus downloading Dridex trojan through the malicious macros.
Infection Cycle:
The spam email spreads this threat with the subjects such as
![](https://software.sonicwall.com/gav/macromalware/email.png)
The attachment is an Excel sheet (attachment.XLS)(detected as GAV: Downloader.DA ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.
![](https://software.sonicwall.com/gav/macromalware/macro-disabled-xls.png)
Once the macros are enabled, the user still cannot see any content on the excel sheet it has three empty tabs with Russian or cyrilic characters.
![](https://software.sonicwall.com/gav/macromalware/macro-enabled-xls-2.png)
On the background, the malware tries to establish HTTP connection
![](https://software.sonicwall.com/gav/macromalware/httprequest.png)
It then downloads an executable LNUDTUFLKOJ.exe [detected as GAV: Dridex.VVPT.
This trojan tries to steal information from the victim’s machine post it to the remote Command & Control servers.
![](https://software.sonicwall.com/gav/macromalware/postinf-1.png)
The decrypted post message is as follows:
![](https://software.sonicwall.com/gav/macromalware/postinf-2.png)
The Dell SonicWall threats team urges users to not fall for these scams. SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Downloader.DA (Trojan)
- GAV: Dridex.VVPT (Trojan)