The attack was disguised as a common Payment request sent to one of the largest financial institute protected by Votiro. The email was sent from a legitimate Pearson with a valid LinkedIn account and from a company that purchased a domain name and even designed a logo:
For the attention of the accounts department.
The email has a Word file attachment that when opened requests the user to allow Macros. When allowing Macros the malicious macro silently downloads zimbazzi.exe, a malware that disguises itself as Torrent-P2P program that is part of Dridex banking malware. The malware may also identified as 87tf26w.exe or as other filename (MD5 33e222cd5a98ba948732ffddb2d41965). The complete infected process has not been detected by the fully updated Antivirus software that was installed on the lab machine.
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user. (Webopedia.com)
While this attack has not been recognized by most AV engines, the file was completely neutralized by Votiro, giving the client a safe to edit version of the Word file. As you can see in the report from VirusTotal, only 2 AV engines flagged this file and they only flagged it as suspicious.
For more information visit Votiro website or contact us at firstname.lastname@example.org