Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Word Documents Used to Distribute Dridex Banking Malware

Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Cybercriminals using the Dridex banking Trojan to steal sensitive information from Internet users have changed the way they are distributing the malware, according to researchers from Palo Alto Networks.

Dridex, which is a successor of the Cridex/Feodo/Geodo Trojans, was first spotted in July. The threat is used by cybercriminals to obtain the information they need for fraudulent bank transactions.

Until recently, Dridex was mostly distributed via executable files attached to spam emails. However, researchers at Palo Alto Networks noticed that cybercriminals have started delivering the threat with the aid of macros placed inside innocent-looking Microsoft Word documents.

The document files contain macros to which the attackers attached complex programs written in Visual Basic for Applications (VBA). The macro is designed to download an executable file from one of several URLs and run it on the infected system.

According to researchers, the malware is hosted on legitimate websites that have been hijacked by the attackers. Once it infects a computer, Dridex uses an XML-based configuration file to determine which websites to target. The threat communicates with its command and control (C&C) server over HTTP.

Palo Alto says the volume of Dridex attacks has decreased considerably compared to July and August, but the company has warned that the latest attacks are still significant. Most of the malicious emails targeted the United States, but some of the messages landed in the inboxes of organizations in the United Kingdom, Taiwan, the Netherlands, Canada, Australia, and Belgium.

When they first shifted to this new distribution tactic, on October 21, the fake emails purported to contain invoices from the Humber Merchants group. In the following days, the attackers stuck to the invoices theme, but started abusing the names of other organizations as well, Palo Alto noted.

“You can protect yourself against this wave of Dridex attacks by disabling macros in Microsoft Word. Macro-based malware has been around for over well over a decade. Most organizations should have them disabled by default, enabling macros only for trusted files,” Ryan Olson, intelligence director at Palo Alto Networks, advised in a blog post., which has been tracking Dridex, Cridex, Feodo and Geodo over the past months, noted in September that the cybercriminal group responsible for these threats is in he habit of abandoning their creations after a fairly short amount of time. The data published by Palo Alto Networks shows that the volume of Dridex sessions detected by the company’s WildFire system has decreased considerably over the past months, which could indicate that the malware authors are already working on a new version of the Trojan. 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.