Banking Trojan Alert: MS Word macros spreading Dridex

Within the last week, there have been a number of reports indicating an ongoing Dridex spam campaign primarily targeting people who bank in the United States and the UK. Like most banking trojan spam, the attack utilizes a malicious attachment; however, in a shift of strategy, Dridex’s distributors are now using Microsoft Word documents containing VBA macros to serve the malware and infect their victims.

What is a banking trojan?

The Dridex banking trojan is the type of malware that’s designed to steal your banking credentials, so that they can be used to log into your account and transfer your funds to criminals. Dridex essentially does this by ‘grabbing’ information you submit to certain websites. These websites are pre-specified by attackers, and they typically include those of popular banks. In any given distribution campaign – where a banking trojan is for example included in a malicious attachment and spammed to thousands of email addresses – these banking websites will vary, depending on the country in which the majority of targets reside.

How do you get Dridex?

This latest campaign began one week ago, when independent researchers noticed a number of fake Microsoft Word invoices, containing malicious VBA macros. These macros are small programs that instruct your computer to download Dridex from a legitimate website that has been compromised by the attackers. Once Dridex is installed, it can harvest credentials from any type of website you log into; however, in practice, banking credentials are most often collected.

How can I keep Dridex off my computer?

The first wave of this latest Dridex campaign saw a large amount of emails containing a fake MS Word invoice from Humber Merchants. This invoice had file name 15040BII3646501.doc, which downloaded Dridex from http://gpsbah[.]com/images/1[.]exe. To date, Emsisoft Anti-Malware is one of only a few products that prevents this variant of Dridex from executing.

For additional protection, users can also disable Microsoft Word macros, as this type of attack is relatively common and about a decade old. For MS Word 2013:

  1. Open Word, click File, then click the Options tab
  2. Click the Trust Center tab, then click the Trust Center Settings button
  3. Click the Macro Settings tab, select the desired Disable all macros option, and click OK.

As always, caution when handling unsolicited emails with attachments and links can help prevent infection too.

What should I do if I have a banking trojan infection?

If you think you may have become infected by Dridex, DO NOT log into any account – financial or otherwise – via the compromised computer. For assistance, contact our experts at Emsisoft Support as soon as possible. Malware removal is always free, even if you aren’t an Emsisoft customer yet.

Have a great (Dridex-free) day!

For more information on Dridex, see this article from Palo Alto Networks.



  • ricardo garcia

    Good, but is emsi able to disinfect this malware, because at least EAM is not able to clean up MS scripts

    • Thomas Ott (Emsisoft)

      Hi Ricardo,

      The behavior blocker will intercept the execution of the actual malware the macro is supposed to download.