Macro malware makes a comeback with BARTALEX attack

Macro malware isn't dead yet, if a new campaign targeting banks and financial institution is any indication.

Described as an “outbreak” of spam messages by Trend Micro in a new blog post, attackers are sending phishing emails claiming to be from Automated Clearing House (ACH), an electric fund transfer company. The emails are sent to various company employees, along with a link to “view the full details” of a transfer, faxed message or some other financial transaction-related endeavor.

The link leads to a Dropbox page that attempts to convince the victim to enable the macros on Microsoft Office to view a hosted document. If enabled, the BARTALEX malware-laden document will then drop Dyre banking malware.

The majority of infections, 35 percent, occurred in the U.S.

This marks the first time Macro malware has been hosted on Dropbox, although cloud services have been used in multiple attacks to host Command and Control (C&C) servers, as well as malicious files.

Christopher Budd, global threat communications manager at Trend Micro, told that the new attack was a natural progression in cloud hosting.

“Business drivers in IT that legitimate businesses are following affect the criminal element as well,” he said. “The cloud makes a lot of sense for businesses and criminals, as well, so we're seeing more and more infrastructure move to the cloud because it's cheap and easy. It's easier to throw something up on Dropbox than go through the trouble of building your own server and maintaining it.”

This particular attack has more than 1,000 malicious Dropbox links at its disposal; however, a company spokesperson confirmed to that the accounts involved are no longer able to share links because it violated its “Acceptable Use Policy.”

More than the cloud element, Budd stressed that this resurgence in Macro malware is troublesome and indicates that old threats remain an issue for modern businesses, even though fixes have already been put in place.

“Security improvements that we put in at Microsoft to close that attack vector had put the kibosh on Macro-based malware for a while, but clearly we're seeing people return to this and get around those protections for social engineering,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.