Security Experts:

Word Documents Used to Distribute Dridex Banking Malware

Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.

The document files contain macros to which the attackers attached complex programs written in Visual Basic for Applications (VBA). The macro is designed to download an executable file from one of several URLs and run it on the infected system.

According to researchers, the malware is hosted on legitimate websites that have been hijacked by the attackers. Once it infects a computer, Dridex uses an XML-based configuration file to determine which websites to target. The threat communicates with its command and control (C&C) server over HTTP.

Palo Alto says the volume of Dridex attacks has decreased considerably compared to July and August, but the company has warned that the latest attacks are still significant. Most of the malicious emails targeted the United States, but some of the messages landed in the inboxes of organizations in the United Kingdom, Taiwan, the Netherlands, Canada, Australia, and Belgium.

When they first shifted to this new distribution tactic, on October 21, the fake emails purported to contain invoices from the Humber Merchants group. In the following days, the attackers stuck to the invoices theme, but started abusing the names of other organizations as well, Palo Alto noted.

"You can protect yourself against this wave of Dridex attacks by disabling macros in Microsoft Word. Macro-based malware has been around for over well over a decade. Most organizations should have them disabled by default, enabling macros only for trusted files," Ryan Olson, intelligence director at Palo Alto Networks, advised in a blog post.

Abuse.ch, which has been tracking Dridex, Cridex, Feodo and Geodo over the past months, noted in September that the cybercriminal group responsible for these threats is in he habit of abandoning their creations after a fairly short amount of time. The data published by Palo Alto Networks shows that the volume of Dridex sessions detected by the company's WildFire system has decreased considerably over the past months, which could indicate that the malware authors are already working on a new version of the Trojan. 

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.