Dridex banking Trojan campaign exploited Microsoft Word 0day recently revealed

Pierluigi Paganini April 11, 2017

Millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan.

Recently security experts from firms McAfee and FireEye warned of a Microsoft Word zero-day exploited by attackers in the wild. Just opening an MS Word document could put Windows users at risk, the exploitation of the flaw could allow an attacker to silently install a malware on a fully patched Windows machine.

News of the day is that ‘weaponized’ documents exploiting the zero-day Microsoft Word have been sent to millions of people across the world, a malware campaign aimed to distribute the Dridex banking trojan.

Windows Zero-Day Attack

This Window zero-day attack is very insidious, it doesn’t require victim’s interaction, for example, it doesn’t need victims enabling Macros.

The Window zero-day attack works on all Windows OS version, even against Windows 10.

Researchers from Proofpoint observed a large email campaign aimed to spread the Dridex banking Trojan.

“Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan.” reads the analysis published by Proofpoint “This campaign was sent to millions of recipients across numerous organizations primarily in Australia.”

Dridex Banking Trojan

The campaign demonstrates the high level of agility for threat actors behind the Dridex campaign, according to the researchers this is the first time the attackers exploited a zero-day vulnerability in the attacks.

“This is the first campaign, we have observed that leverages the newly disclosed Microsoft zero-day.” reads the analysis.

The phishing emails used an attached Microsoft Word RTF document. Messages purported to be from Messages purported to be from “<[device]@[recipient’s domain]>” where the field ‘device’ could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”.

The subject line reads “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was composed of random digits.

Experts highlighted that the social engineering techniques adopted by crooks are not sophisticated, but the campaign was very effective and messages very convincing.

The security firms McAfee and FireEye reported the Windows zero-day attacks to Microsoft back in January 2017, for this reason, McAfee decided to publicly disclose the vulnerability and a day after also FireEye made the same.

This Tuesday Microsoft will release security updates, let’s hope the company will address also the zero-day exploited in the wild.

Below the recommendations to mitigate such kind of Windows zero-day attack:

  •  Do not open any Office files obtained from untrusted locations.
  •  According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Windows zero-day attack, Dridex Banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment