Aussie enterprises targeted in Bartalex spam campaign

Australian businesses are currently being hit by cloud storage hosted Microsoft Office macro malware in large numbers in a month-long campaign uncovered by security researchers.

Security vendor Trend Micro said its researchers detected an outbreak of spam that used fraudulent messages from the Automated Clearing House electronic funds transfer network that is regularly used by businesses for transactions with each other.

The spam messages link to Dropbox sites that contain malicious Microsoft Office macros - named Bartalex - which if enabled by users, proceed to download a variant of the Dyre banking malware.

Sample Dropbox hosted Bartalex macro malware

Dyre and variants of the malware have been used over the past year to target Salesforce customers and United States banks like JP Morgan, to steal user credentials.

Telemetry figures from Trend Micro show that over the past three months, Australian organisations are the third most affected by the Bartalex malware campaign, behind Canada, with US enterprises being the most hit.

Over a thousand links to the malware are hosted on Dropbox, Trend Micro said.

Bartalex itself is a relative recent macro or script malware that surfaced in the first quarter of this year. Along with others of its kind, Bartalex is used as an "infection gateway" or trojan horse to download malicious binaries to be executed on users' machines.

Microsoft said in January this year that its security team had seen an upsurge in similar malware disseminated via email, and warned against social engineering attempts at tricking users into enabling macros.

Trend Micro suggests that administrators revisit existing security policies to tackle the macro malware menace in enterprises and other organisations. 

User education to prevent staffers from enabling potentially malicious macros along with turning off the Windows Scripting Host feature that can execute dangerous code on employees' systems both help to protect against malware such as Bartalex and Dyre.

The security vendor did not say who was behind the Bartalex campaign, but in the past, Dyre has been linked to Russian and Eastern European criminal gangs.