A rather unpopular technique for the distribution of banking malware has been spotted in the wild lately. It involves the combination of malicious macros, Microsoft Word docs and PDF files into one item.
The method relies on spam email messages containing a seemingly innocent text document, dat, in werkelijkheid, an executable file. The other approach user by the attackers is to lace Word documents with macro scripts that download the malicious threat.
Experts at Avast report that the latter technique has been modified and now the Word document is being embedded in a PDF. Particularly the PDF is what the user sees in the spam email.
The Malicious Email
Dridex Banking Trojan
As the researchers were analyzing the macro, they have found out that it connected to URLs unique for every malware sample – a version of the Dridex banking Trojan.
The attackers aim to get their hands on banking credentials that will allow them access to the victim’s accounts. Logins for Microsoft and Google services are also targeted.
Among the banks, whose clients were targeted, are:
- Santander (US)
- Ulster (Ireland)
Security experts urge users to run the latest versions of the AV tool they have installed on their computers. It is important that users pay attention to suspicious emails that claim to contain important data in attached files, and verify the information before downloading any documents.