Earlier this year – in March – a macro-based malware called Bartalex was detected. Macro-based attacks exploiting Microsoft Word and Excel keep on occurring even though the technique can be described as ‘an old trick’ that has been around for more than a decade. A new Bartalex activity has been spotted just recently by Rackspace security researcher Brad Duncan. Bartalex has now been employed to spread the Pony Loader malware and the infamous Dyre banking Trojan.
Bartalex – Pony Loader – Dyre Contamination Path
Duncan has spotted Bartalex proliferating through a Word document, coming from the payroll service ADP. As with most social engineering scams, if victims are more careful when going through their Inbox, they will always distinguish fraudulent from truthful senders. Having a good look at the email’s header is enough to conclude that ADP didn’t send the message. However, if users have their macros enables, executing the file in the message is sufficient to activate the threat.
Duncan’s research based on traffic and network protocol analysis indicates that the new strain of Bartalex deploys Pony Loader and Dyre. What he noticed is certificate data usually seen in SSL traffic caused by Dyre and some particular operations related to Bartalex and Pony.
Description of Pony Loader
Pony Loader was first introduced in the cyber world years ago. The infamous information stealer has been used to spread Zeus and Necurs Trojans, as well as Cryptolocker and Cribit ransomware. Pony Loader 2.0 also known as Fareit has already been redesigned to steal cryptocurrency such as:
→Bitcoin, Litecoin, MultiBit, Namecoin, Terracoin, Primecoin, Feathercoin, NovaCoin, MegaCoin, Digitalcoin, Zetacoin, Fastcoin, Tagcoin, Bytecoin, Florincoin, Luckycoin, etc.
Bartalex has been reported to spread Dyre before, but according to the evidence, this is the first time for Pony Loader to deploy it.
Description of Dyre Banking Trojan
SensorTechForum researchers have already described Dyre attacks. Dyre, also known as Dyreza and Dyranges, is a malware designed exclusively to steal banking credentials. The Trojan has been focused primarily on the customers of Bank of America and Citibank, RBS and Natwest in the UK, and Ulster Bank in Ireland. Dyre attacks usually start the same way – by luring the user into opening a corrupted attached PDF file pretending to be an invoice. The document contains exploits for vulnerabilities in the Adobe Reader so that users with unpatched or older versions are easily targeted.
Bartalex – Pony Loader – Dyre Malicious Combination
According to a vast security research, the latest strain of Bartalex has been spread via thousands of infected Dropbox links. Presumably, some of them were used to deploy the Pony Loader malware and others – the Dyre Banking Trojan.
How to Stay Safe
There is some difference between malicious code attacks and macro-based ones. The latter require user interaction to deliver the final payload. In that sense, to limit the possibility of such an attack, users should be careful with the following:
- Opening suspicious, unexpected emails and reading the attached documents.
- Enabling macros by instructions given in such documents.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter