Banking Malware Taps Macros

Macroviruses are BACK and are the future of malware, says Microsoft
April 30, 2015
Why Has Mobile Banking Growth Stalled? Blame Hackers
May 4, 2015

Security firms report a sharp rise in the quantity of attacks that use macro code – designed to automate tasks – to trigger malware downloads, often for the purpose of stealing people’s online banking credentials. “Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide,” warns Microsoft’s Malware Protection Center.

Reports of macro-virus threats might trigger feelings of déjà vu, since macro code – contained in malicious email attachments – was a hallmark of late-’90s attacks. “Macro-based threats were an issue in the past, but years ago antivirus/security won the battle against email attachments,” Sean Sullivan, security advisor for Finnish antivirus firm F-Secure, tells Information Security Media Group. “Gateway scanning systems can detect patterns of bulk attachments. And that’s how people were generally exposed to macro-based threats.

But today’s macro attacks differ from previous such attacks in notable ways. Technically speaking, today’s attacks are making use of zipped file attachments to try and fool antivirus scanners, as well as using cloud-based storage, “so there are no attachments to scan and block, just links – and that, I would say, makes a big difference,” Sullivan says. Finally, a number of recent attacks have attempted to execute macros using Microsoft’s task-based command-line shell and scripting language PowerShell.

Microsoft says it’s seen an increase in malware and fraud campaigns that use macro downloaders – including Adnel, Bartallex (a.k.a. Bartalex), Donoff, Jeraps, and Ledod – in conjunction with social-engineering attacks. Such trickery is often required because the Microsoft Office default has long been to “disable all macros with notification,” which some security experts say is the single biggest reason such attacks declined. Accordingly, many attackers now try to trick would-be victims into reactivating macro capabilities.

“Macro downloaders serve as the gateway for other nasty malware to get in,” Microsoft says. On the bright side, however, researchers at Tenable Network Security report that the current volume of macro malware attacks is so far less than what was seen 15 years ago.

Macro Malware Spikes

Macro downloader variants (blue) and infected machines (orange) seen over the past year. Source: Microsoft.

Bartalex: ACH Fraud

Macro-wielding attackers are increasingly using cloud services to evade existing defenses. Trend Micro, for example, reports this week that it’s seen a recent flurry of spam emails that have Bartalex macro malware attached. The social-engineering attack tells recipients that their Automated Clearing House electronic-funds transfer was declined, and invites the recipient to click a link to “view the full details,” which leads to a Dropbox page that lists specific instructions, including the need to enable Microsoft Office macros, says Trend Micro fraud analyst Christopher Talampas in a blog post.

If users fall for the ruse, the macro runs and attempts to load the Dyre banking malware. Talampas says this particular Dyre variant “targets banks and financial institutions in the United States, among which are J.P. Morgan, U.S. Bank, California Bank & Trust, [and] Texas Capital Bank.”

Tapping PowerShell

Recent variants of the Dridex banking malware, which is designed to steal credentials for online accounts, have been distributed by spam emails, and have been attempting to execute macros via PowerShell, if it’s installed, warn Intel Security researchers Jorge Arias and Yerko Grbic in a blog post.

Source –


Request Demo