Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Macro Malware Dridex, Locky Using Forms to Hide Code

Researchers at Trend Micro recently observed a change in the Dridex and Locky macro malware families, which are now using Form object in macros to obfuscate their malicious code.

Researchers at Trend Micro recently observed a change in the Dridex and Locky macro malware families, which are now using Form object in macros to obfuscate their malicious code.

Spotted in February, Locky was immediately associated with Dridex for using the same infiltration technique as the notorious banking Trojan, namely malicious macros found in Word documents. Although ransomware relying on macros for distribution was observed before, the latest change in both malware families appears to tighten the connection between them.

In February, researchers at Palo Alto Networks observed around 446,000 individual sessions containing the Bartallex macro downloader, which in turned dropped Locky on compromised systems. The large number of sessions also revealed that the ransomware’s operators were putting significant effort into pushing Locky to the top of the ransomware charts.

In a recent blog post, Trend Micro’s Wilson Agad revealed that the ransomware’s authors are also focused on improving their malicious creation. The Locky crypto-ransomware was observed using Form object in macros to obfuscate the malicious code, an improvement that could allow adversaries hide malicious activities performed on target networks or systems.

The use of malicious macros to achieve high infection rates is an attack method that was very popular about a decade ago, but which went almost extinct after Microsoft disabled macros by default in Office 2007. In the past few years, however, it has become a popular attack technique once again, being used mainly by malware such as Dridex and Rovnix, as well as by the enterprise-oriented Bartalex.

Until recently, macro malware relied on easy to implement scripts that were laid in the macro sheet to deliver and execute the malicious payload. The scripts required users to manually enable macros to trigger the malware execution, and Form objects, which are windows or dialog boxes that make up part of an application’s user interface, are no different.

As Agad explains, however, the new technique also requires the shellcode to be accessed and the implementation is more difficult compared to scripts. However, the installation routine isn’t necessarily affected by the use of Forms, the researcher also says.

To infect systems, attackers rely on users opening a poisoned Word document file attached to a malicious email, which includes the malicious macros. Since the targets are typically employees that deal with documents with forms on a daily basis, the chances of successful infection are higher.

As Proofpoint revealed in the recently published Human Factor 2016 report, attackers are increasingly relying on people becoming their unwitting accomplices in attempts to steal information and money. A very large portion of last year’s attacks relied on social engineering, with 99.7 percent of attachment documents in spam email campaigns requiring human interaction to deliver the malicious payload.

Given that the use of social engineering in delivering malware is trending, it does not come as a surprise that ransomware authors adopted it as well. However, Locky, which mostly affects users in Germany, Japan, and the United States at the moment, appears to be the first instance of ransomware that replicates use of malicious macros (commonly seen in Dridex), and which also adopted the use of Forms so early.

“Awareness of such threats and their behavior is one of the initial steps in order to combat their risks. It’s also important to not enable macros from email attachments as this can add another layer of protection to prevent the download of malicious files on the system. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources,” Agad concludes.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.