Cybersecurity researchers have identified a new malware strain that is being spread via weaponized Microsoft Excel documents. The threat, dubbed Dudell, is likely to be linked to the hacking group known as Rancor. Rancor's targets often are medium-sized companies and businesses, and the primary purpose of their attacks is cyber-espionage. The Dudell malware appears to be the latest weapon in Rancor's arsenal, and this backdoor Trojan possesses a wide range of abilities that enable its operators to execute a long list of tasks on the machines they infect.
The Dudell campaign relies heavily on Microsoft Excel documents that have a corrupted macro script embedded inside of them. These are being sent out via phishing emails, and recipients will be presented with a decoy file upon opening the threatening document. In addition to displaying a decoy, the unsafe file also will prompt the target to 'Enable Content' – an option, which will permit the file to execute the embedded macro script.
The Dudell Malware Works as a Backdoor Trojan
Once the macro is launched, the Dudell malware's payload will be fetched from the control server and deployed to the compromised machine. The malware has basic anti-sandbox techniques, and it will check for the presence of specific services, drivers, and processes used by virtual machines – if it finds any matches, it will terminate itself. If the attack is not hindered, Dudell will enable its operators to perform the following tasks:
- List files.
- List processes and terminate them.
- Modify the file system.
- Upload or download files and launch them.
- Execute remote commands.
- Grab screenshots.
Dudell is not an advanced malware family, but it has enough modules and features to ensure that its victims will be vulnerable to a threatening hacker attack. Companies can protect their networks from the Dudell malware and similar attacks by utilizing state-of-the-art anti-malware products, as well as by teaching their employees to follow the best safe Web browsing practices.