Telemetry data shows users in the US are most affected

Apr 27, 2015 21:29 GMT  ·  By

In a recent malicious email campaign, messages purporting to be from Automated Clearing House (ACH) provide a link to a malicious Word document that contains a macro script with instructions to download Dyre financial Trojan.

ACH is a network for making financial transactions across the US. It makes for a fast way to send money from one part of the country to another, which covers the needs of many businesses.

Crooks use social engineering to achieve their goal

Social engineering is again paramount for the attack to work, so cybercriminals have resorted to the dirtiest tricks, delivering an email to the victim informing that an alleged ACH transfer sent earlier was not approved by the bank.

This type of lure is designed to entice the recipient to launch the document with the details, regardless if a transfer was initiated or not. Those that did not attempt any money transfer may want to check the details to make sure that fraudulent activity did not occur, while those that did try to send money would want to learn about the cause of the failure.

Macro scripts are used in Microsoft Office components to help users create automate routines for frequently used tasks. The feature is disabled by default and turning it on comes with a security warning informing of the potential malicious purpose of scripts present in documents of unknown origin.

Malicious Word file is stored in Dropbox account

The malicious email observed by the researchers does not carry the rigged document in the attachment and instead provides a link to it to a location in Dropbox cloud storage.

Once the file has been downloaded and launched, the user is informed that the content cannot be seen until macros are enabled.

Christopher Talampas, fraud analyst at Trend Micro, says in a blog post on Monday that the macro malware is called Bartalex. The instructions included in the macro trigger the download of Dyre banking malware, also known as Dyreza, which targets financial institutions like P Morgan, U.S. Bank, California Bank & Trust, and Texas Capital Bank.

Telemetry data from the security company reveals that Bartalex is most prevalent in the US (35.52%), followed by Canada (11.54%) and Australia (11.06%).

3-month global stats for Bartalex infections
3-month global stats for Bartalex infections

Photo Gallery (2 Images)

Malicious document downloaded from Dropbox account
3-month global stats for Bartalex infections
Open gallery