Dudell

Bogus Microsoft Office documents are one of the favorite tricks that cybercriminals use to spread their threatening applications. One recent campaign that relies on macro-laced Microsoft Excel documents is linked to the Dudell malware family – a new threat that is likely to be the product of Rancor, an infamous cybercrime organization. This group specializes in cyber espionage campaigns, hence why their targets are often businesses operating in different industries. The Dudell malware is able to exfiltrate sensitive data from the compromised network, as well as to manage the running processes, therefore allowing the attackers to deploy secondary payloads.

The attack begins when the target receives a phishing email that contains a decoy '.XLSX' document. When the victims attempt to review the document, they may be asked to 'Enable Content' to view its contents – this harmless-looking prompt will allow the document to execute the embed macro script whose purpose is to fetch and execute Dudell.

The Dudell Malware Spread via Macro-Laced Documents

Once Dudell is launched, it will connect to a remote Command and Control server, and start to listen for commands. The operators of the malware will not only be able to browse and modify local files, but they will also gain access to the following functions:

• Ability to upload and execute files.
• Download a file from an URL and launch it.
• Execute remote commands.
• Take screenshots of the compromised PC and upload them to the attacker's server.

Dudell's features are not spectacular, but there are more than enough to execute a successful cyber-espionage operation that will enable the attacker to obtain sensitive documents, files, and other information. The best way to protect your business from attacks like this one is to use modern anti-malware services, as well as to familiarize your employees with the best cybersecurity practices.