Thursday, April 30, 2015

Watch out for fake ACH, Dropbox and Microsoft Word documents

A recent outbreak spreading by email is targeting users of common office documents. The malware called BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible. This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.

In this attack, some messages all related to Automated Clearing House (ACH) fraud. ACH is a network used for electronic fund transfers in the United States; as a result it is frequently used by businesses that need to transact with other companies on a regular basis.

Figure 1. Sample spammed email that leads to W2KM_BARTALEX.SMA

ACH fraud is a typical cybercriminal hook seen in spammed emails, but instead of attachments, these email messages contain a Dropbox link. The URL leads to a Dropbox page that contains a specific and pretty convincing Microsoft Office warning that instructs users to enable the macros.

Figure 2. A Dropbox page contains the malicious macro (click to enlarge)

Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC. This malware targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc. Based on feedback from the Smart Protection Network, the United States is the top country affected by BARTALEX, followed by Canada and Australia.

Additionally we noticed that this attack used an old Microsoft Office 2010 logo. Given that many enterprises do not immediately upgrade to the latest Office versions, it is possible that users within enterprise organizations may fall victim to this technique.

Figure 3. W2KM_BARTALEX infection count over the last three months

For a more technical details, see the original Trend Micro blog:   Trend Micro Blog
         Enterprises Hit by BARTALEX Macro Malware in Recent Spam Outbreak

Tuesday, April 28, 2015

Monday, April 27, 2015

Common Virus Definitions

Software that adds additional benefits or features to an existing program. For example, adding a particular search engine interface to your browser.
A type of malware that bombards the user with advertisements. This may include pop-up or in-browser ads.
Drive By (drive by exploit, drive by vulnerability)
An exploit or malware that can infect the users system without any interaction from the user. The user is not required to "click" anywhere, open anything, or respond to any dialogue box.
Any trick or combination of actions that can take advantage of a vulnerability to install some type of malware.
Any collection of programs and/or configuration changes that alters the operation of the users system in a negative way. Includes: viruses, worms, PUPs, and others.
Potentially Unwanted Program (PUP)
A type of malware that alters the operation of the user's system, but also provides a useful feature. Some users are willing to live with the negative aspects of the program in order to gain the benefits. Typically, PUPs are distributed as "free" games, shopping incentives (sales, coupons), or web browsing enhancements.
A type of malware encrypts or locks the user's system or data (files, pictures, other important info). Typically, the user is presented with an option to pay a ransom of about $500 to regain access.
A type of malware that alters the operation of the users system for evil.
Vulnerability (bug, flaw)
A previously undetected problem with your operating system or installed software that exposes a weakness that can be exploited by a malware author.
Zero Day (zero day exploit)
A vulnerability so new that a fix has not been discovered. The term is used most often to refer to specific malware that already exploits the new vulnerability and was named because the developers had "zero" days to find and fix the problem.