• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Macro-based Malware Increases Along with Spam Volume, Now Drops BARTALEX

Macro-based Malware Increases Along with Spam Volume, Now Drops BARTALEX

  • Posted on:March 24, 2015 at 4:44 pm
  • Posted in:Malware, Spam
  • Author:
    Maydalene Salvador (Anti-spam Research Engineer)
1

Early this year Microsoft reported an increase in macro-related threats being used to spread malware via spam. Similarly, we’ve been seeing a drastic increase in spammed emails with attached Microsoft Word documents and Microsoft Excel spreadsheets that come with embedded macros.

Macros are a set of commands or code that are meant to help automate certain tasks, but recently the bad guys have yet again been utilizing this heavily to automate their malware-related tasks as well. Here are some recent blog posts in which we tackled various macro-based malware:

  • Banking Trojan DRIDEX Uses Macros for Infection
  • ROVNIX Infects Systems with Password-Protected Macros
  • Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell

Recent spammed emails now spread BARTALEX malware

A recent sample email pictured below shows a fake Air Canada e-ticket with faulty airline information attached in the form of a .DOC file. Opening the .DOC file leads to a document with a malicious macro. We detect this as W2KM_BARTALEX.EU.

Figure 1. Fake e-ticket from Air Canada carries a .DOC file with a malicious macro

Figure 2. Macro warning when opened in Microsoft Word 2010

W2KM_BARTALEX is the most recent addition to the roster of macro-based malware we wrote about in the past. It serves as a downloader for info-stealing malware like UPATRE and drops files depending on the OS version of the system it affects. Other macro-based malware utilize the macro itself to download other malware while W2KM_BARTALEX drops .bat, .vbs, and .ps1 files to download more malicious files.

For Windows OSs Vista and later, W2KM_BARTALEX drops a file named adobeacd-update.bat, which executes adobeacd-update.ps1 using the Windows PowerShell® command shell. The PowerShell command was previously abused in another macro-related attack in February this year that involved the malware VAWTRAK.

Recent wave of macro-related malware—just the tip of the iceberg?

Common file extensions for macro-related spam we’ve noted in the past include .DOC, .DOCM, and .XLS. Another wave seen in February includes .XLSM (pictured below).

Figure 3. Latest wave of macro-related spam now include .XLSM file attachments

Spam with macro-based malware typically make use of social engineering lures like remittance and invoice notifications, emails related to tax and payment slips, payment confirmation, purchase orders, etc. Most of the spammed emails even contain so-called shipping codes in the email subject to appear authentic.

We may be seeing more things to come for the spam landscape for the rest of the year along with the newest wave of spammed emails that carry W2KM_BARTALEX. While it serves as the latest malware addition, other detections for macro-based malware include X2KM_DLOARDR, W97M_MDROP, X2KM_DRILOD, and W97M_SHELLHIDE. These malware lead to their final malware payloads, which include banking malware ROVNIX, VAWTRAK, DRIDEX, and NEUREVT aka Beta Bot.

Number of macro-based malware slowly increasing

The bar graph below offers a quick look into the total spam volume compared against spammed emails that carry malicious macros and UPATRE-related spam. Though we are mostly seeing UPATRE malware attached to spam, macro-based malware in spam have slowly been gaining traction since December 2014 and may continue to do so in the next months.

Figure 4. Volume of macro-based malware in spam compared against UPATRE malware and the total spam volume

Best practices

As always we recommend that users exercise caution when opening email attachments, even those from familiar or known senders. Ignore emails sent from unknown email addresses and especially avoid opening any type of attachments they may have. As an added measure, make sure to enable the macro security features in applications.

Users are protected from this threat via Trend Micro™ Security software, which safeguards against viruses, phishing, and other Internet threats. Businesses are also protected with Endpoint Security in Trend Micro™ Smart Protection Suite as it offers multiple layers of protection.

Related hashes:

  • c8683031e76cfbb4aba2aea27b8a77833642ea7d – W97M_MDROP

With additional input and analysis by Ryan Gardo

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: bartalexmacro malwareMicrosoft OfficeSpam

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.