A new variant of Bartalex used to serve Dyre and Pony Trojans

Pierluigi Paganini July 23, 2015

Researchers have spotted a new strain of the Bartalex macro-based malware that is used to drop the Pony loader malware and the popular Dyre banking Trojan.

Bartalex is a macro-based malware that was first discovered earlier this year, security researchers have spotted a new strain of this malicious code dropping the Pony loader malware and the popular Dyre banking Trojan.

The Pony Trojan is data stealer specialized in the theft of Bitcoin and user’s credentials, it is also used as a downloader for other malware, including the famous Gameover Zeus.

The initial sightings occurred in March when the Bartalex was spread with a spam campaign embedded in Microsoft Word and Excel macros.

Early 2015 the Microsoft Malware Protection Center (MMPC) issued an alert about a surge in the infections of malware using macros to spread their malicious code. The researchers at Microsoft have seen a major increase in enable-macros based malware, the most active codes included Adnel and Tarbir.

Last year, experts at TrendLabs observed criminal crews using the Windows PowerShell command shell to spread ROVNIX via malicious macro downloaders. Early this year, the experts noticed cyber criminals were using malicious macros in Microsoft Word Windows to spread the banking malwareVAWTRAK.

Security researcher at Rackspace, Brad Duncan, discovered a variant of Bartalex malware propagating through a bogus Word document.

bartalex spam

The Word document analyzed by the expert purports to come from the payroll service ADP and informs the victim that an Automated Clearing House (ACH) payment has been rejected.

As explained by Duncan, the Bartalex malware is exploited by malware authors to serve the Pony and Dyre malicious code.

“We used this example of Bartalex to infect a Windows host with Pony malware that downloaded a Dyre banking Trojan” states Duncan.

The expert noticed the use of a digital certificate data usually associated with the SSL traffic generated by the Dyre malware.

“We reviewed some of the Dyre post-infection traffic in Wireshark.  The image below shows one of the TCP streams using SSL over port 4443.  In Wireshark’s “Analyze” menu, use “Decode As” and select SSL to see the information properly parsed.  We found certificate data typically seen in SSL traffic generated by Dyre.” states Duncan.

bartalex certificate

In April, malware researchers discovered that the new strain of Bartalex was distributed via thousands of malicious Dropbox links. This variant was used to drop the Dyre Trojan on the infected machine.

By using the Security Onion distribution, he spotted a “number of events related to Bartalex and the Pony downloader.”

Bartalex malware continues to be a serious threat for malware researchers, Duncan confirmed that in many cases the malicious attachments are able to elude spam filters, but fortunately, post-infection traffic is quite easy to recognize.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Bartalex, macro)

[adrotate banner=”12″]

you might also like

leave a comment