Financial Malware Uses Macros to Infect

A new breed of financially focused malware has cropped up, using new tactics to evade detection and infect harder-to-compromise systems. The Dyre botnet has successfully compromised tens of thousands of victims in North America. Another banking trojan, Dridex, has successfully compromised thousands of systems in Europe and is increasingly targeting companies and users in the U.S. by sending Word documents carrying malicious macro scripts capable of installing the malware. Security & Privacy News Roundup: Stay informed of key patterns and trends Cloud-based security provider Proofpoint has focused on Dridex since it appeared late last year, tracking efforts by the groups to target companies with Dridex-laden spam. The attackers send out waves of spam every two or three days, using anywhere from two different e-mail templates to more than 1,000, depending on the group behind the attack. The attacks usually last no longer than five hours, and few, if any, antivirus scanners detect the malware in time, says Wayne Huang, vice president of engineering at Proofpoint. “I would say that they are persistent, but they are not APT (an advanced persistent threat) in that they are not focusing on certain organizations,” he says. “They spread malware primarily to monetize.” The rapidly changing templates and the use of macros within Word documents are just two of the techniques that Dridex uses to be an efficient infector. More recent versions of the banking malware have used images to track the number of downloads, and the developers also have added features to foil detection and analysis by automated systems. A number of anti-malware systems open suspicious files or run potentially questionable code in a virtual environment to check for malicious behavior. Yet, attackers have found ways to detect whether their code is running in such a “sandbox.” Initial attempts, for example, would just sleep for an hour or a day, because automated systems typically only executed the code for a few minutes. Most current efforts, however, focus on the anomalies in the system in which the program is running. The developers behind the Dyre malware, for example, used a simple command to count the number of cores being used. Many virtual environments only use a single core for efficency, while multi-core systems are now ubiquitous. Dridex, however, took a simpler tack: Because analysis systems tend to open the suspicious file and wait for any anomalous activity, Dridex is programmed to only execute when the malicious Word document is closed. The evolution of Dridex has made it an effective vehicle for attacks, says Matt Huang, vice president of product management at Proofpoint. “They have been really mutating their techniques, especially to avoid sandbox detection,” he says. “From very early on, they would change e-mail subjects and file titles. Now, we see a greater variety of techniques.” A single attack often will result in hundreds of thousands of e-mails being sent out. The attackers have at least 1.3 billion e-mail addresses from which to choose, Huang says. The attackers also are beginning to zero in on other financial targets, such as cryptocurrencies. In some cases, Dridex has downloaded a trojan known as Pony that can steal more than 30 different cryptocurrencies, such as Bitcoin, from a dozen different types of digital wallets. “Recently, they have been using Pony to steal wallets, because the use of virtual currency has picked up,” Huang says. “They have been quite successful.”