Home Malware Programs Trojans Bartalex

Bartalex

Posted: July 23, 2015

Threat Metric

Threat Level: 9/10
Infected PCs: 9
First Seen: July 23, 2015
Last Seen: September 12, 2019
OS(es) Affected: Windows

Bartalex is a macro-based Trojan downloader that may propagate a range of diverse threatening and unwanted software. Its payload history includes high-level threats with a particular emphasis on Trojans that may include information-collecting functions, such as Dyranges (AKA Dyzap or Dyre). The latest Bartalex campaigns have used different methods, including spam e-mail and corrupted file storage links, to expose victims to Bartalex's attacks. For their part, malware experts urge anyone with a Bartalex-compromised system to run extensive anti-malware diagnostics immediately.

The Documents with Surprise Trojans

Although the technology behind document macro-based abuse is years old, its age doesn't necessarily indicate that the associated attacks have become ineffective or unpopular. Bartalex is a 2015 example of a Trojan campaign using macros (a simple set of programming statements sometimes found in Microsoft Office content) to attack PC users and spread other threats. The simplicity and limitations behind macro-based content heavily restrict Bartalex's functions, but also may make Bartalex more likely to slip past spam filters and threatening file-detecting technology, such as what your anti-malware products may use.

Unsurprisingly, malware experts found one of Bartalex's major campaigns using the well-known template of a fraudulent payroll e-mail notification. Victims opening the attached text documents without any protection suffered exposure to Bartalex, which installed spyware and backdoor-capable threats like the Pony loader. Although Microsoft Office includes some default security features meant to block compromised macros, PC users can disable these features manually, and sometimes are instructed to do so by the contents of the Bartalex-carrying documents.

A second Bartalex campaign, also this year, utilized Dropbox links, instead of e-mail attachments. This Bartalex campaign proceeded to install Dyranges, a Trojan that compromises the victim's bank accounts and uses disposable modules to modify its feature set.

Making Sure Your Documents don't Start Reading Your Bank Accounts

PC users availing themselves of the full range of security features in Microsoft Office products should be able to protect themselves from Bartalex macros being enabled by default. Malware experts also would recommend avoiding obfuscated Web addresses redirecting to file downloads, like those that could be used to propagate Bartalex Trojans. Although Dropbox has since taken action to terminate links to corrupted Bartalex files, further campaigns are likely to make use of similar techniques. Lastly, updated anti-malware products also should be able to identify Bartalex while scanning the relevant documents.

Even Web surfers who don't make use of online bank accounts are at risk from some Bartalex payloads. Because of Bartalex's close association with threats like the Pony botnet, any compromised PCs may be at risk of allowing third parties to have virtually complete access to their settings and data. Most threats installed by Bartalex are designed to avoid leaving any visible symptoms, requiring dedicated anti-malware tools to detect and remove them, as well as removing Bartalex.

Loading...