Trendmicro reports about a spam campaign sending thousands of emails enticing readers to click on a Dropbox link and download a Microsoft Office document.
That file contains the BARTALEX macro malware.
Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC
“This variant of the DYRE malware targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc.”
The report says that “this isn’t the first time that Dropbox was reported to have been involved in malicious activity. Dropbox and other cloud-based services are known to host malware and cybercriminals’ C&C software, but this is the first time we’re seeing Dropbox used to host macro-based malware, which is rapidly increasing despite its being a thing of the past”.
“Macro malware like BARTALEX is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today. And they seem to be adapting: they are now being hosted in legitimate services like Dropbox, and with the recent outbreak, macro malware may continue to threaten more businesses in the future”.
The hashes of the files detected as W2KM_BARTALEX.SMA are:
61a7cc6ed45657fa1330e922aea33254b189ef61
6f252485dee0b854f72cc8b64601f6f19d01c02c
85e10382b06801770a4477505ed5d8c75fb37135
The hash of the files detected as TSPY_DYRE.YUYCC is:5e392950fa295a98219e1fc9cce7a7048792845e
The hashes of the malicious Microsoft Office documents are:0163fbb29c18e3d358ec5d5a5e4eb3c93f19a961
02358bcc501793454a6613f96e8f8210b2a27b88
05fe7c71ae5d902bb9ef4d4e43e3ddd1e45f6d0c
11d6e9bf38553900939ea100be70be95d094248b
19aed57e1d211764618adc2399296d8b01d04d19
559a03a549acc497b8ec57790969bd980d7190f4
c0ca5686219e336171016a8c73b81be856e47bbc
d047decf0179a79fd4de03f0d154f4a2f9d18da4
d3bf440f3c4e63b9c7165c1295c11f71f60b5f8c
ec7a2e7c1dce4a37da99a8f20a5d4674f5c80a1f
