UPDATE–The zero-day vulnerability in Microsoft Word disclosed in the last few days is now being used as a vector for attackers to install the nasty Dridex banking Trojan.
Researchers from a number of security companies have warned about the vulnerability, which Microsoft has yet to acknowledge publicly. The flaw allows attackers to bypass the exploit mitigations in even the most recent version of Windows. The attacks seen so far are using malicious Word documents with embedded exploit code, relying on users to open the attachments and infect themselves.
In the last day, researchers have seen a wave of attacks against several companies that use emails with attachments loaded with code that eventually installs Dridex. Researchers at Proofpoint said the malicious emails hit millions of users this week.
“Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “<[device]@[recipient’s domain]>”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” an analysis by Proofpoint says.
Dridex is a well-used banking Trojan that has evolved quite a bit over the years. It is descended from the old Zeus source code and is used mainly to steal banking credentials from victims’ machines. In the past, the attackers pushing Dridex usually have relied on phishing messages that include attachments with macros in them. Many users have turned off macros in recent years, so attackers have had to adjust their tactics.
“While a focus on exploiting the human factor – that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks – remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day,” Proofpoint said.
Microsoft patched the vulnerability on Tuesday, releasing a fix for Office, Windows, and Windows Server, as part of its monthly security bulletins.
“A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the bulletin says.
This story was updated on April 11 to add information about the patch.