A mischievous email campaign has been disclosed in the United Kingdom to spread malware that is hardly detected by AV tools. The attack relies on an authentically looking company message informing about a legal dispute with the recipient. The company name is randomly selected and is in tune with the subject line.
Attack Initiated by an Attached MS Office Document
The whole process is designed so that the receiver is tricked into opening the attached Microsoft Word document. The document contains a malicious macro with commands for downloading and executing a malware dropper.
Users should be aware that the malware dropper is concealed as a GIF image. Researchers have not yet investigated the VBScript (Visual Basic Scripting Edition, an active scripting language) of the macro but have discovered that there is a backup macro transmitted from servers in Germany and Russia.
Corrupted File Barely Detectable
Security researchers say that the malicious file was initially detected by only 2 ud af 56 anti-malware tools. The detection rate has improved a bit since then.
As for the dropper imitating a GIF image – it is stored in a temporary folder and is recognizable by the name
After the malicious file is executed, a server in Germany is contacted. Researchers believe that the final payload is a variation of the well-known Dridex banking Trojan. The infamous Trojan is also hard to be ‘caught’ by AV products.
The Dridex Trojan has been quite active during the last couple of years. On October 2014, 93 servers for Dridex communication were registered, four of them found to be in Russia.