Enterprises Hit by BARTALEX Macro Malware in Recent Spam Outbreak

Enterprises are currently being targeted by the macro malware BARTALEX in a recent outbreak of thousands of spammed emails. The infection routine for BARTALEX uses a Microsoft Word document and social engineering lure that is widely recognized by enterprises—making infection all too possible. This attack highlights how macro malware in Microsoft Office files is fast becoming a big threat to businesses and organizations.

BARTALEX Infection Chain

In this attack, a colleague of mine noticed an outbreak of spammed messages all related to Automated Clearing House (ACH) fraud. ACH is a network used for electronic fund transfers in the United States; as a result it is frequently used by businesses that need to transact with other companies on a regular basis.

ACH fraud is a typical cybercriminal hook seen in spammed emails. Instead of attachments, the message this time bore a link to “view the full details.” Other templates used for these spammed emails involve messages about received fax messages, parcels, invoice and billing statements, and wire transfers.

Figure 1. Sample spammed email that leads to W2KM_BARTALEX.SMA

By hovering over the URL we can see that it redirects to a Dropbox link with a file name related to the supposed ACH transaction. The URL leads to a Dropbox page that contains specific instructions (and an almost convincing) Microsoft Office warning that instructs users to enable the macros.

This malicious document is detected as W2KM_BARTALEX.SMA. As of this writing, more than a thousand similar Dropbox links were found with the same routines.

Figure 2. A Dropbox page contains the malicious macro (click to enlarge)

Upon enabling the macro, the malicious document then triggers the download of the banking malware TSPY_DYRE.YUYCC. This DYRE variant targets banks and financial institutions in the United States, among which are JP Morgan, U.S. Bank, California Bank & Trust, Texas Capital Bank, etc.

Based on feedback from the Smart Protection Network, the United States is the top country affected by BARTALEX malware overall, followed by Canada and Australia. Additionally we noticed that this attack used an old Microsoft Office 2010 logo. Given that many enterprises do not immediately upgrade to the latest Office versions, it is possible that users within enterprise organizations may fall victim to this technique.

Figure 3. W2KM_BARTALEX infection count over the last three months

Malware Improvements

This latest observation is but another development for both BARTALEX and DYRE. We previously reported on BARTALEX malware that were attached to spammed emails.

In January this year, we wrote about improved DYRE infection techniques. These techniques involve hijacking Microsoft Outlook to spread UPATRE, which inevitably download data stealing malware ZeuS and ransomware.

Dropbox not new to malicious activity

This isn’t the first time that Dropbox was reported to have been involved in malicious activity. Dropbox and other cloud-based services are known to host malware and cybercriminals’ C&C software, but this is the first time we’re seeing Dropbox used to host macro-based malware, which is rapidly increasing despite its being a thing of the past.

We have already contacted Dropbox about the more than a thousand links hosted on their site.

Macro malware still in the picture

Macro malware like BARTALEX is seemingly more prominent than ever, which is an indicator that old threats are still effective infection vectors on systems today. And they seem to be adapting: they are now being hosted in legitimate services like Dropbox, and with the recent outbreak, macro malware may continue to threaten more businesses in the future.

Addressing macro malware in an enterprise (and small and medium-sized business) setting involves reevaluating and revisiting existing security policies. It’s also advisable to decrease the attack surface area by making sure systems within the corporation have the necessary security measures in place: for instance, it may be wise to disable Windows Scripting Host on users’ systems if it serves no substantial purpose. Lastly, user education will go a long way in defending against these types of threats, in particular, those that exploit human error, e.g., enabling malicious macros in Word documents.

The hashes of the files detected as W2KM_BARTALEX.SMA are: