The Dyre group, a major malware spam producer, has changed their initial malware dropper to utilize Microsoft Word document macros instead of the usual executable types, such as .exe files contained in a .zip.
Dyre’s Hedsen spambot, responsible for the bulk of Upatre emails we’ve been tracking, now uses a template to send infected-macro Word files as spam attachments in hopes that the end user will click the attached .doc file and infect their system. This is a noticeable change in behavior for this particular spambot.
As always, users should disable Macros in Office documents, and avoid the temptation to open suspicious attachments.
VIPRE detects the infected .doc as LooksLike.Macro.Malware.gen!d1 (v).
An example spam message using the new infected macro technique.
The infected .doc file, which also suggests you enable Macros once it is opened.
This particular spambot is now using the following URLs to generate and deliver its infected payload:
The spammer gets the Template letter (which also includes the base64 attachment of the .doc) from:
The spammer gets the sender field from:
The spammer gets its email target list from:
Macro doc MD5:
The macro pulls additional code of websites from:
The macro determines which URL to download from:
- pilsudskiego175[.]pl/modules/mod_araticlws /lns.txt
As of this post, the macro is downloading from:
The Upatre md5 is:
Upatre reports to its Command and Control at
It downloads Dyre though https from:
The Dyre MD5 is:
Credit: Matthew Mesa – ThreatTrack Security Labs Researcher