Researchers at Proofpoint discovered a crafty new trick in the repertoire of the Dridex banking malware.
Well known for leveraging macros in Microsoft Office documents to infect computers, Dridex now includes the ability to allow the malware to hold off executing until the malicious document is closed.
“In this case, the maldoc [malicious document] campaign resembles other attachment delivery campaigns, but the twist is in when the macro shows its true colors,” according to Proofpoint. “The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens. Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.”
“The expected behavior for most malware is for it to execute at the earliest opportunity available on the target system,” the Proofpoint researchers continue. “Realizing that immediate execution was a red flag to malware sandboxes and antivirus solutions, malware writers adjusted by coding their wares to ‘wait’ for short periods of time before executing, thereby avoiding sandboxes that would only check for malicious activity at initial launch.”
As sandboxes have also adjusted to wait, the ability of a malicious macro to run when the document closes increases the possible window of infection and forces a detection sandbox to monitor it for longer, the researchers explained. But regardless of how long the sandbox waits, the infection will not occur – and if the sandbox shuts down or exits without closing the document, the infection will never take place.
“Allowing macros to run can be risky, and it keeps getting riskier as malware writers continue to innovate and add new tools and techniques to their portfolio,” the researchers blogged.
During the past several months, the Dridex malware has been linked to attacks targeting banking customers all over the globe, including in the United States, U.K. and Canada. Researchers at Trustwave recently identified a spate of malicious emails with XML files laced with the malware.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
- China Says It’s Looking Into Report of Spy Balloon Over US
- GoAnywhere MFT Users Warned of Zero-Day Exploit
