The malicious macro campaigns that have dominated the landscape since December (1) continue to evolve as actors adjust techniques, payloads and targets. A relatively recent innovation (2 and 3) has been to create the Microsoft Word attachment as a MIME-formatted file with an MSO attachment that contains the OLE file with the malicious macro code. This technique causes the attachment to appear as a normal “DOC” file to the end-user while resisting analysis by automated tools that do not include the ability to read the OLE content. When the end-user opens the file it presents to the end user the Enable Content button that we have seen so much of late.
(Interestingly, this masking technique seems to result in a higher proportion of “duds” in which incorrectly formatted MIME causes the document to fail to open in Word.)
As part of this this continued evolution, the actor behind Dridex botnet #120 – one of the earliest actors Proofpoint researchers analyzed in these campaigns – was recently detected directing this OLE/MIME formatted attack at recipients in Europe, including a large campaign on 10 June targeted at Polish users. (Fig. 1)
Figure: Polish-language phishing message with malicious Word attachment
This campaign was noteworthy because the actor shifted their primary payload to the Rovnix (4) banking Trojan, instead of their more typical Dridex payload. The messages were delivered in two runs on 10 June and included DOC attachments, and the first run showed 0/57 detection on VirusTotal on the first day, and as of 16 June still only had 8/57 detection by antivirus engines.
The dropped Rovnix – which uses web injects to capture only online banking credentials – targets Polish and Italian banks, which are different targets from the US and UK banks normally targeted by the Dridex 120.
Since this campaign was first detected, the Dridex 120 actor appears to have shifted focus from Poland to France. Research by Proofpoint threat analysts show that in a campaign that began on 17 June, infections of French systems outnumbered Polish systems 150:1. Moreover, for the campaign the number of infections of French systems were 11 times greater than the sum of infected systems in the top ten other countries combined, highlighting the way that attackers quickly shift focus from one target to another, be it a country, region or industry.
While French organizations should be on the alert not only for new phishing messages targeting their users, but also for signs that their end-user systems have been infected by this dangerous Trojan, this and other actors can also very quickly shift to targeting users in a different country. As a result, all organizations should take precautions to ensure that they can detect and stop this and future versions of these malicious macro attacks.
The day after detecting the Dridex 120 actors shifting their campaigns to focus intensively on French recipients, Proofpoint threat analysts detected additional campaigns targeting France. Unlike the attachment-based payloads used by the Dridex / Rovnix campaigns, however, at least one campaign employed URLs to deliver payloads to the targeted systems.
Figure 2: Unsolicited email with URL targeting French organizations
The link downloads an archive file that installs the Gootkit banking Trojan (5 & 6), albeit in a somewhat unusual manner: the URL links to a zipped Microsoft Word document that uses a malicious macro to pull down an executable that in turn installs the Gootkit malware. (Fig. 3)
Figure 3: Unzipped document from linked archive file, with prompt to enable (malicious) macro
This combination of delivery techniques highlights on the one hand the continued adaptations by attackers to evade existing detection techniques, and on the other their confidence that end users will click on malicious content – and in this case, click not once but three times.
The payload and the use of URLs rather than attachments indicate that this is a different actor, which suggests a larger, more worrying trend: attackers have spent months honing their campaigns and delivery techniques against English-speaking targets in the US and UK. As organizations in these countries detect and adapt to these campaigns, attackers are now seeking new victims abroad, where defenses might be less robust: the challenge for French and other organizations is that they are being exposed from the start to more sophisticated and effective campaigns than their English-speaking counterparts first encountered, and so they are at even greater risk of infection and loss. The ability of French organizations to rapidly detect and block these campaigns will determine the how long attackers maintain this focus and how many other actors add to the fray.