A rather unpopular technique for the distribution of banking malware has been spotted in the wild lately. It involves the combination of malicious macros, Microsoft Word docs and PDF files into one item.
The method relies on spam email messages containing a seemingly innocent text document, which is, in fact, an executable file. The other approach user by the attackers is to lace Word documents with macro scripts that download the malicious threat.
Experts at Avast report that the latter technique has been modified and now the Word document is being embedded in a PDF. Particularly the PDF is what the user sees in the spam email.
The Malicious Email
The email purports to be from a financial institution and to contain important details, which are disclosed in a PDF file attached to the message. The Adobe doc is embedded with JavaScript code and the DOC file that contains the macro with the malicious commands.
Once the victim downloads the PDF, the JavaScript is dropped, and the DOC is executed. The user is still the one to activate the code in the macro, though because it is disabled by Microsoft Office by default. The malicious code obscures DOC files as it creates new documents that have unique variable names, methods names, and URLs. This way it becomes quite hard to identify the malicious files, experts explain.
Dridex Banking Trojan
As the researchers were analyzing the macro, they have found out that it connected to URLs unique for every malware sample – a version of the Dridex banking Trojan.
The attackers aim to get their hands on banking credentials that will allow them access to the victim’s accounts. Logins for Microsoft and Google services are also targeted.
Among the banks, whose clients were targeted, are:
- Santander (US)
- Ulster (Ireland)
Security experts urge users to run the latest versions of the AV tool they have installed on their computers. It is important that users pay attention to suspicious emails that claim to contain important data in attached files, and verify the information before downloading any documents.