Microsoft Office Macros are back with Dridex Trojan (October 2, 2015)
The Dell Sonicwall Threats team recently observed the return of malicious macros in Microsoft Office documents. These malicious macros are downloading the banking trojan, Dridex.
Infection Cycle:
The spam email spreads this threat with the subjects such as Please print from an email address from UK.
The attachment is an word document (Order-SO00653333-1.doc)(detected as GAV: Downloader.B_7(Trojan) ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.
During analysis, the malicious word document had these strings embedded inside:
- “http://www.StealthBot.net/sb/Launcher/”
- “http://www.norlabs.de/123/1111.exe”
- “http://www.althBot.net/sb/Launcher/”
The document has keywords “AutoOpen” which indicates: “Runs when the Word document is opened” and “AutoClose” which indicates: “Runs when the Word document is closed”.
These are embedded in the VBA macros which auto-execute.
Once the macros are enabled, the user still cannot see any content on the word document. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.
It then downloads an executable 1111.exe [detected as GAV: Dridex.B (Trojan)].
This banking trojan tries to steal information from the victim’s machine post it to the remote Command & Control servers.
The Dell SonicWall threats team urges users to not fall for these scams. The SonicWALL customers with “block office files with VBA macros” checkbox enabled are already protected from this threat.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Downloader.B_7 (Trojan)
- GAV: Dridex.B (Trojan)
