Bartalex variants drop Pony and Dyre
Some strains of Bartalex malware have recently been seen dropping Pony loader malware and the Dyre banking Trojan. The first repetitions of Bartalex were examined in late March embedded in Microsoft Word and Excel macros.
The attack vector never really left, but Word documents ambushed with macro malware have lately been enjoying a comeback of sorts. Microsoft's Malware Protection Center also found an increasing number of threats using macros in January.
Security researcher Brad Duncan of Rackspace and handler at the SANS Internet Storm Center saw Bartalex multiplying through a manipulated Word document this Tuesday.
The document purports to come from the payroll service ADP about a rejected Automated Clearing House (ACH) payment. Duncan notes that the email's header signifies the email did not come from ADP. There's nothing really revealing about the documents, as far as its metadata. If a user opened the file they'd execute any associated macros, assuming the have macros enabled in Word.
Duncan says there were some signs that Pony and Dyre were being deployed by this version of Bartalex. He also noticed certificate data that is usually seen in SSL traffic generated by Dyre in the code. In Security Onion, he saw a “number of events related to Bartalex and the Pony downloader.”
Researchers noticed attackers spreading Bartalex via thousands of malicious Dropbox links three months ago. The malware downloaded versions of Dyre. Dropbox was quick to respond and revoked the qualification for the involved accounts to share links.