If you are a regular reader of Securityleaks, you might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.
Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.
Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim’s traffic to bank sites by infiltrating PCs and stealing victim’s online banking credentials and financial data.
The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails.
However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw in Microsoft Word for distributing their banking trojan.
According to a blog post published Monday night by Proofpoint, the latest Dridex spam campaign is delivering Word documents weaponized with this zero-day to millions of recipients across several organizations, including banks primarily located in Australia.
“Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “[device]@[recipient’s domain].” [Device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”,” Proofpoint researchers say.
“The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits…the spoofed email domains and the common practice of emailing digitized versions of documents make the lures fairly convincing.”
As we reported on Saturday, this zero-day flaw is severe because it gives hackers power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it doesn’t require victims to enable Macros.
Moreover, given the danger of Dridex – also known as Bugat and Cridex – banking trojan, people are strongly advised not to open Word documents attached to an email from anyone, even if you know the sender until Microsoft releases a patch.
Microsoft knew of the flaw very long ago
According to researchers at McAfee and FireEye, Microsoft has known of the remote code flaw since January and could release a patch for the vulnerability today, as part of its regular Patch Tuesday routine.
However, an independent security researcher Ryan Hanson claimed that he discovered this 0-day, along with the two other flaws, in July and reported it to Microsoft in October 2016.
“The initial discovery was in July, which was followed up by additional research and the identification of a protected view bypass vulnerability. Those two bugs and an additional Outlook bug were submitted to MS in October.”
“There may very well be additional HTA related vectors in Office, but based on the detail provided by McAfee, the vulnerability they’ve identified functions exactly like the one I disclosed. The only difference I see is the VBScript payload, since my payload simply executed calc.exe.”
If the claims made by Hanson is true and his reported vulnerability is the same being used in the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks even after being known of the critical flaw for quite long.
Enable ‘Protected View’ in Microsoft Office to Prevent Attack
Since the attack does not work when a malicious document is viewed in Office Protected View, users are advised to enable this feature in order to view any Office documents.