Trojan-Downloader:W97M/Dridex is a document file containing maliciously crafted macro code that, when allowed to run on a user's machine, drops a file onto the system. The dropped file attempts to contact a remote server.
F-Secure security products detect the dropped files. Once detected, the F-Secure security product will automatically disinfect the suspect file by either blocking it, deleting it or renaming it. The malicious URL the malware attempts to contact is also automatically blocked.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.
Trojan-Downloader:W97M/Dridex is distributed in a Word document that is sent out as a file attachment to fraudulent e-mails that appear to be invoice-related. These e-mails have reportedly misused the names and/or branding of various legitimate companies to appear above-board.
The attached document may use an innocuous file name such as 'Invoice.doc', or by randomly named. In the sample analyzed (SHA1: 8c77475defd5ee97d60727e8faec69b8eafa64fc), the attachment was simply named 'Attachment.doc':
Dridex's booby-trapped Word document
On downloading and opening the attached Word document, the document appears to be a blank page; a security warning appears saying that 'Macros have been disabled' and providing a button for the user to click and 'Enable Content'.
Dridex tricks users into enabling malicious code
If the user does so, Dridex's malicious macro code is allowed to run and a file is immediately and silently dropped in the user's temp folder. In the sample analyzed, the dropped file used the name 'pilorghpt.exe':
Dridex drops a file to the user's temp folder
The dropped file then attempts to contact a remote server and retrieve an executable file to download the infected machine. Note: if DeepGuard is enabled, this file is automatically blocked from accessing the malicious remote site.
Theft of online banking credentials
Since the middle of 2014, Dridex malware have been reported attempting to steal users online banking credentials. The malware monitors the user's web browsing activity for visits to selected banking sites, then tries to capture the login details entered into web forms on these sites. The list of banks targeted are mainly focused on the United Kingdom, the United States and Australia, though activity in other countries have also been noted.
More information about Dridex's online banking phishing e-mail campaigns can be found at:
About macro malware
Macro-based malware used to be far more common in the early 2000s, when macro codes in business-related documents (primarily Microsoft Office documents, due to their overwhelming prevalence) were automatically allowed to run when a document was opened. In response, changes were made to the document programs to disable this functionality and prevent automatic execution of macro code; users now must actively allow such code to run.
Since then, the volume of macro malware has reduced significantly, and currently such malware relies heavily on deceiving the user into unwittingly running the malicious code.