Watch out for fake ACH, Dropbox and Microsoft Word documents

A recent outbreak spreading by email is targeting users of common office documents. The malware called BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible. This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.

In this attack, some messages all related to Automated Clearing House (ACH) fraud. ACH is a network used for electronic fund transfers in the United States; as a result it is frequently used by businesses that need to transact with other companies on a regular basis.

Figure 1. Sample spammed email that leads to W2KM_BARTALEX.SMA

ACH fraud is a typical cybercriminal hook seen in spammed emails, but instead of attachments, these email messages contain a Dropbox link. The URL leads to a Dropbox page that contains a specific and pretty convincing Microsoft Office warning that instructs users to enable the macros.

Figure 2. A Dropbox page contains the malicious macro (click to enlarge)

Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC. This malware targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc. Based on feedback from the Smart Protection Network, the United States is the top country affected by BARTALEX, followed by Canada and Australia.

Additionally we noticed that this attack used an old Microsoft Office 2010 logo. Given that many enterprises do not immediately upgrade to the latest Office versions, it is possible that users within enterprise organizations may fall victim to this technique.

Figure 3. W2KM_BARTALEX infection count over the last three months

For a more technical details, see the original Trend Micro blog:  
         Enterprises Hit by BARTALEX Macro Malware in Recent Spam Outbreak