Malicious macro used to retrieve malware dropper

Apr 7, 2015 18:01 GMT  ·  By

A malicious email campaign threatens to turn users in the UK into victims by tricking them into executing on their systems malware that is currently poorly detected by antivirus engines.

The message alleges to come from a company whose name is selected at random and matches the entity in the subject line. The purpose of the email is some sort of legal dispute with the recipient, which is designed to fool into opening an attached Microsoft Word document.

Malware dropper masquerades as GIF image

The MS Office document is laced with a malicious macro that includes commands for downloading and executing a malware dropper on the affected system, says Conrad Longmore of Dynamoo’s Blog.

The researcher did not analyze the VBS script of the macro, but made the code available for other security experts to investigate.

However, he determined that an alternate macro also existed and the dropper was funneled from a server in Russia and one in Germany.

An initial analysis on Virus Total showed that the file was detected by 2 out of 56 antivirus solutions, but more recent scans show a slight increase in detection, to 5 out of 57 products.

Malware hosted on machine in Germany

The dropper, posing as a GIF image, is stored in the temporary folder on the system under the name “dfsdfff.exe.” After installation, it contacts a machine in Germany, according to results of an automated analysis provided by the researcher.

The final payload is believed to be a variant of Dridex banking Trojan, which is also missed by a large number of antivirus solutions. The latest scan on Virus Total showed that only 6 out of 56 security products recognized the file as being malicious.

Dridex has been observed by security researchers at Cisco being delivered via a recent “hit and run” campaign that lasted for less than five hours, insufficient for detection routines to be created in order to protect the users.

Malware dropper is detected by a handful of antivirus products
Malware dropper is detected by a handful of antivirus products

Photo Gallery (2 Images)

Possible Dridex variant benefits from poor detection
Malware dropper is detected by a handful of antivirus products
Open gallery