Dridex Trojan Luring Users into Enabling Macros in XML Files

Dridex Trojan Luring Users into Enabling Macros in XML Files

As malware researchers had revealed at the end of 2014, the Dridex Trojan, also known as Feodo, Bugat and Geodo, numerously attacked bank security information. Back then, the malicious software was aiming at the macros of the Microsoft Office Package. Despite the fact that macros are usually disabled by default by companies, the attackers are still trying to lure employers into their scheme. This time they are using XML files.

Malware researchers have now confirmed that the hackers behind the dangerous Trojan have been quite active during the last few days. At least several hundred exploit messages have been submitted. The end goal of the banking malware is no different than before – attempting to make users believe in the credibility of the files in question. The XML’s are usually presented either as a “remittance advice” or as a payment reminder.

Once the user is tricked and double-clicks the file, it associates with Microsoft Word and opens. Moreover, the attackers have also added a pop-up window with instructions. The purpose of the pop-ups is to stress the importance of enabling macros so that the file could be viewed properly. It seems that the cyber criminals behind Dridex are either relying on employers trust in XMLs or, which is more probable, on their unawareness.

Why Are the Attackers Using XML Files?

First of all, XMLs are known as the old binary format for Office documents, which were the initial purpose of the attackers.

It seems that the hackers have been persistently trying to make people enable macros. Most probably, their previous scheme that involved Excel documents didn’t give the desired click-through rates. It is just another phishing technique.

Dridex in the Recent Past

As of October 2014, there were 93 servers for Dridex communication, 12 of which were online. Researchers reported that four of them were location in Russia. There is still no information about the current situation.

The previous versions of the Feodo / Bugat / Cridex Trojan horse mostly aimed at bank organizations in the United States, with emails being also sent to users in Australia, Canada, United Kingdom, Germany and other countries.