Because there is not enough complex and dangerous malware out there already, we now how a new strain of the Bartalex malware dropping Pony loader malware and the Dyre banking Trojan to increase the power and sophistication of an attack:
Primarily spread through spam, the first iterations of Bartalex were observed in late March embedded in Microsoft Word and Excel macros.
Macros have been a popular infection method for a decade-plus but as is often the case in malware, everything old eventually becomes new again. The attack vector never really went away but Word documents booby-trapped with macro malware have been enjoying a comeback of sorts as of late. Microsoft’s Malware Protection Center even sounded the alarm over an increasing number of threats using macros in January.
Brad Duncan, a security researcher at Rackspace and handler at the SANS Internet Storm Center spotted Bartalex propagating through a rigged Word document on Tuesday.
The Word document purports to come from the payroll service ADP and pertain to a rejected Automated Clearing House (ACH) payment. As Duncan notes, a quick look at the email’s header however indicates the email did not come from ADP and if a user were to open the file, assuming they have macros enabled in Microsoft Word, they’d execute any associated macros.