SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
11 Apr 2017

Unpatched Microsoft Word flaw is being used to spread Dridex banking trojan

You might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.

Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.

Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data. The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails. However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw in Microsoft Word for distributing their banking trojan.

According to a blog post published Monday night by Proofpoint, the latest Dridex spam campaign is delivering Word documents weaponized with this zero-day to millions of recipients across several organizations, including banks primarily located in Australia.

"Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "[device]@[recipient's domain]." [Device] may be "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.
"The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits...the spoofed email domains and the common practice of emailing digitized versions of documents make the lures fairly convincing."

As we reported on Saturday, this zero-day flaw is severe because it gives hackers power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it doesn't require victims to enable Macros. Moreover, given the danger of Dridex – also known as Bugat and Cridex – banking trojan, people are strongly advised not to open Word documents attached to an email from anyone, even if you know the sender until Microsoft releases a patch.

Microsoft knew of the flaw very long ago

According to researchers at McAfee and FireEye, Microsoft has known of the remote code flaw since January and could release a patch for the vulnerability today, as part of its regular Patch Tuesday routine. However, an independent security researcher Ryan Hanson claimed that he discovered this 0-day, along with the two other flaws, in July and reported it to Microsoft in October 2016.

    "The initial discovery was in July, which was followed up by additional research and the identification of a protected view bypass vulnerability. Those two bugs and an additional Outlook bug were submitted to MS in October," Hanson told.
    "There may very well be additional HTA related vectors in Office, but based on the detail provided by McAfee, the vulnerability they've identified functions exactly like the one I disclosed. The only difference I see is the VBScript payload, since my payload simply executed calc.exe."

If the claims made by Hanson is true and his reported vulnerability is the same being used in the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks even after being known of the critical flaw for quite long.

Enable 'Protected View' in Microsoft Office to Prevent Attack

Since the attack does not work when a malicious document is viewed in Office Protected View, users are advised to enable this feature in order to view any Office documents. For more technical details about the latest Dridex malware campaign exploiting the unpatched Microsoft Word flaw, you can head on to the blog post published by Proofpoint.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Dridex information leaks Microsoft
Source:
The Hacker News
1837
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015