Macro-Based Bartalex Malware Spreads Pony Loader and Dyre Trojan - How to, Technology and PC Security Forum | SensorsTechForum.com

Macro-Based Bartalex Malware Spreads Pony Loader and Dyre Trojan

shutterstock-malwareEarlier this year – in March – a macro-based malware called Bartalex was detected. Macro-based attacks exploiting Microsoft Word and Excel keep on occurring even though the technique can be described as ‘an old trick’ that has been around for more than a decade. A new Bartalex activity has been spotted just recently by Rackspace security researcher Brad Duncan. Bartalex has now been employed to spread the Pony Loader malware and the infamous Dyre banking Trojan.

Bartalex – Pony Loader – Dyre Contamination Path

Duncan has spotted Bartalex proliferating through a Word document, coming from the payroll service ADP. As with most social engineering scams, if victims are more careful when going through their Inbox, they will always distinguish fraudulent from truthful senders. Having a good look at the email’s header is enough to conclude that ADP didn’t send the message. However, if users have their macros enables, executing the file in the message is sufficient to activate the threat.

Duncan’s research based on traffic and network protocol analysis indicates that the new strain of Bartalex deploys Pony Loader and Dyre. What he noticed is certificate data usually seen in SSL traffic caused by Dyre and some particular operations related to Bartalex and Pony.

Description of Pony Loader

Pony Loader was first introduced in the cyber world years ago. The infamous information stealer has been used to spread Zeus and Necurs Trojans, as well as Cryptolocker and Cribit ransomware. Pony Loader 2.0 also known as Fareit has already been redesigned to steal cryptocurrency such as:

→Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, Luckycoin, etc.

Bartalex has been reported to spread Dyre before, but according to the evidence, this is the first time for Pony Loader to deploy it.

Description of Dyre Banking Trojan

SensorTechForum researchers have already described Dyre attacks. Dyre, also known as Dyreza and Dyranges, is a malware designed exclusively to steal banking credentials. The Trojan has been focused primarily on the customers of Bank of America and Citibank, RBS and Natwest in the UK, and Ulster Bank in Ireland. Dyre attacks usually start the same way – by luring the user into opening a corrupted attached PDF file pretending to be an invoice. The document contains exploits for vulnerabilities in the Adobe Reader so that users with unpatched or older versions are easily targeted.

Bartalex – Pony Loader – Dyre Malicious Combination

According to a vast security research, the latest strain of Bartalex has been spread via thousands of infected Dropbox links. Presumably, some of them were used to deploy the Pony Loader malware and others – the Dyre Banking Trojan.

How to Stay Safe

There is some difference between malicious code attacks and macro-based ones. The latter require user interaction to deliver the final payload. In that sense, to limit the possibility of such an attack, users should be careful with the following:

  • Opening suspicious, unexpected emails and reading the attached documents.
  • Enabling macros by instructions given in such documents.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.