On the backdrop of the recent announcement from IRS about a 400% surge in tax-related frauds and phishing campaigns, Eastwind Labs has now analyzed a variant of Dridex malware. The authors of Dridex have adopted the strategy of using macros in Office documents as the means to disseminate their malware, and they have been clever to password protect these macros. The user is shown some garbage data in a single-page Word document or a single-sheet spreadsheet; the garbage data is accompanied by a notice in plain English which instructs the user to enable macros in order to correctly view the document.
As we can see, this is an empty document (Words:0) and a Security Warning has been displayed.
Microsoft has recently released patches to disable macros by default. There has been some discussion in the past few years that malware is no longer spreading via macros, but there has been an increase in this mode of dissemination in the past couple of months.
It is highly recommended to not enable any macros. The risks are evident from the infection that follows. There is nothing displayed on the screen; however, the malware has been downloaded and executed in the background.
The user has no indication that they have been infected. They may again open the document and enable the macro despite the warning, but still seeing nothing, they will attribute it to nothing and then forget about it. However, the damage has been done.
Eastwind Breach Analytics Cloud immediately flags these downloaded files as malicious, sending out alerts to your email and to your iOS App.
The alerts can be inspected for details about the network communication that resulted in the machine being infected—details such as the MD5 hash, the Indicators of Compromise, the network protocol (HTTP in this case), and information about the requesting and responding machine.
Now consider the case where your laptop has become infected in another network, such as your home network. The method of operation of this malware is such that you are not aware that you have been infected. What now? Not to worry. Eastwind Breach Analytics Cloud also detects and flags post-infection callbacks. So whenever your machine connects to our sensor, we can see these post-infection callbacks. Dridex, like many other types of malware, communicates with a command-and-control server. This communication takes place securely over HTTPS. However, Eastwind Breach Detection can detect that communication and flag it as a threat.
We can see that the callbacks happen periodically and the amount of bytes transferred is always the same. So, no matter where you get infected, as soon as you connect to a network with an Eastwind Network Sensor, you can rest assured that the threat will be detected.
- Do NOT open attachments from untrusted sources.
- Do NOT enable macros inside documents.
- Get Eastwind Breach Analytics Cloud, the missing piece in your network and data security.
Eastwind Breach Detection—Always Watching. Always There.