Malware

Dridex banking Trojan campaign exploited Microsoft Word 0day recently revealed

Millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan.

Recently security experts from firms McAfee and FireEye warned of a Microsoft Word zero-day exploited by attackers in the wild. Just opening an MS Word document could put Windows users at risk, the exploitation of the flaw could allow an attacker to silently install a malware on a fully patched Windows machine.

News of the day is that ‘weaponized’ documents exploiting the zero-day Microsoft Word have been sent to millions of people across the world, a malware campaign aimed to distribute the Dridex banking trojan.

Windows Zero-Day AttackWindows Zero-Day Attack

This Window zero-day attack is very insidious, it doesn’t require victim’s interaction, for example, it doesn’t need victims enabling Macros.

The Window zero-day attack works on all Windows OS version, even against Windows 10.

Researchers from Proofpoint observed a large email campaign aimed to spread the Dridex banking Trojan.

“Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan.” reads the analysis published by Proofpoint “This campaign was sent to millions of recipients across numerous organizations primarily in Australia.”

The campaign demonstrates the high level of agility for threat actors behind the Dridex campaign, according to the researchers this is the first time the attackers exploited a zero-day vulnerability in the attacks.

“This is the first campaign, we have observed that leverages the newly disclosed Microsoft zero-day.” reads the analysis.

The phishing emails used an attached Microsoft Word RTF document. Messages purported to be from Messages purported to be from “<[device]@[recipient’s domain]>” where the field ‘device’ could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”.

The subject line reads “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was composed of random digits.

Experts highlighted that the social engineering techniques adopted by crooks are not sophisticated, but the campaign was very effective and messages very convincing.

The security firms McAfee and FireEye reported the Windows zero-day attacks to Microsoft back in January 2017, for this reason, McAfee decided to publicly disclose the vulnerability and a day after also FireEye made the same.

This Tuesday Microsoft will release security updates, let’s hope the company will address also the zero-day exploited in the wild.

Below the recommendations to mitigate such kind of Windows zero-day attack:

  • Do not open any Office files obtained from untrusted locations.
  • According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Windows zero-day attack, Dridex Banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

President Trump fired the head of U.S. Cyber Command and NSA

President Trump fired Gen. Timothy Haugh as head of U.S. Cyber Command and NSA President…

7 hours ago

Critical flaw in Apache Parquet’s Java Library allows remote code execution

Experts warn of a critical vulnerability impacting Apache Parquet's Java Library that could allow remote…

11 hours ago

CERT-UA reports attacks in March 2025 targeting Ukrainian agencies with WRECKSTEEL Malware

CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.…

12 hours ago

39M secrets exposed: GitHub rolls out new security tools

39 Million Secrets Leaked on GitHub in 2024 GitHub found 39M secrets leaked in 2024…

14 hours ago

China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March

Ivanti addressed a critical remote code execution flaw in Connect Secure, which has been exploited…

1 day ago

Europol-led operation shuts down CSAM platform Kidflix, leading to 79 arrests

An international law enforcement operation shuts down Kidflix, a child sexual abuse material (CSAM) streaming…

1 day ago