The left-for-dead Office macro has apparently made a comeback with cybercriminals who have found them to be a good hiding place for banking malware.
Recently, Microsoft reported a spike in the use of macros in hacking campaigns, peaking in mid-December. This has been corroborated by researchers at Trustwave who today said they’re seeing spam campaigns in the U.K. with attachments containing embedded macros that deliver the Dridex banking Trojan.
Dridex is a descendent of Cridex and is in the GameOver Zeus family. GameOver Zeus has been used for years to great profit, particularly through wire fraud. It used a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes.
While Dridex doesn’t differ much from most strains of banking Trojans—it targets online banking credentials and contains configuration files that mimic log-ins for financial institutions—it has been moving for weeks in the UK with some success, surprisingly so because by default, Microsoft has disabled macros. Its success, as a result, also stems from some strong social engineering that convinces users to not only open and execute the malicious macro, but the malicious attachment used in the spam campaign also contains a handy how-to instructing victims how to re-enable macros.
The campaign Trustwave spotted is after U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others. The attachments are Microsoft Word or Excel documents that contains an obfuscated macro that downloads Dridex from a remote server, Trustwave security researcher Ziv Mador said.
“Some users are not cautious enough and open attachments from unexpected emails, and some of them will go the next step and enable the macro,” Mador said.
The attackers go to great pains to hide the malware in order to keep it from analysis and security protections.
“The macros are obfuscated multiple ways within the document,” Mador said. “If it passed in the clear, it would be simple to detect. What we saw multiple times was that it was obfuscated in multiple ways.”
For example, Mador said strings such as the drop folder, malware file name and URL download link were hidden by text-to-hexadecimal obfuscation, Trustwave learned upon analysis. With this method, Trustwave said, strings are converted to their hexadecimal string equivalent.
To further frustrate analysis and detection, the attackers added another layer of obfuscation by reversing the hexadecimal strings, or they XOR the string with a predefined key, Trustwave said.