Dridex Banking Trojan Spreading Via Macros in XML Files

A phishing campaign that spiked this week is pushing the Dridex banking Trojan via malicious macros embedded in XML file attachments.

Not long ago, criminals pushing the Dridex banking Trojan were using Microsoft Excel documents spiked with a malicious macro as a phishing lure to entice victims to load the malware onto their machines.

Even though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure.

Researchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users’ trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines.

The XML files are passed off as “remittance advice,” or payment notifications, with the hopes that some users will believe it’s an innocent text file and execute the malicious code.

“XML files are the old binary format for Office docs and once you double click them to open, the file associated with Microsoft Word and opens,” said Karl Sigler, Trustwave threat intelligence manager. The malicious macro is compressed and Base64 encoded in order to slide through detection technology, Sigler said, adding that the attackers have also included a pop-up with instructions for the user on how to enable macros with language that stresses macros must be enabled for the invoice to viewed properly or to ensure proper security. “Which is the exact opposite of what this does,” Sigler said. “It doesn’t seem to be all that sophisticated. They’re either trying to capitalize on a user’s trust in XML files, or the fact that a user may not be that familiar with what that extension is.”

If the user does follow through and execute the malware, Dridex behaves like most banking Trojans. It sits waiting for a user to visiting an online banking site and then injects code onto the bank site in order to capture the user’s credentials for their online account.

Sigler said this is the first time they’ve spotted XML docs used as a lure. As for macros, they’ve been disabled by default since Office 2007 was released.

“Sometimes in large organizations, local administrators have the ability to enable macros,” Sigler said. “Some organizations use them quite a bit, but it’s not common. Most people leave the default settings. It’s hard to say why these guys moved to XML. It could be that they’re looking for a new attack vector and they weren’t getting good click-through rates with the Excel documents. Maybe they were not getting people to enable macros the way they hoped and they’re looking for a way to better their success rate.”

Dridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. The previous Dridex campaign targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others.

Suggested articles