You might be aware of an ongoing cyber attack that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.

Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan. Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data.

Operators of the Dridex banking trojan are experimenting with a new technique of delivering spam to their victims, according to independent security researcher MalwareTech.

The researcher has recently spotted a spam wave coming from legitimate but compromised websites, which the crooks were abusing to send spam to victims, most predominantly to users living in the UK. There are two new techniques employed by the Dridex crew in this campaign. The first is the use of compromised servers to send spam. Previously, the Dridex gang had relied on the Necurs botnet, a network of compromised computers.

Future versions of the infamous and highly dangerous Dridex banking trojan will soon be able to steal credentials for several crypto-currency wallets, according to clues found in recent Dridex samples.

Dridex, also known as Bugat and Cridex, is the moniker of a banking trojan and the name of its botnet used to commit other types of illegal activities, such as sending spam. The criminal group behind it, a true cyber-crime syndicate, has people working around the clock updating Dridex's source code with new features and new methods meant to help the trojan avoid getting flagged by security software.  A recent report highlights some of the low-level code changes.

Attackers behind the Dridex Trojan have narrowed their sights on banks based in the United Kingdom frequented by high-value business accounts, researchers claim. When a new version of the Trojan was released two weeks ago, it was promptly followed by a series of infection campaigns that focused on UK users.

Limor Kessem, a cybersecurity evangelist at IBM’s X-Force, who published a blog entry about the Trojan’s latest whereabouts, claims the latest chain of infections is leveraging the Andromeda botnet. The Trojan’s operators targeted two banks in the U.K. to start, but within a few days, was targeting 13 banks.

Researchers with Invincea are warning that Dridex activity has resumed. The advisory comes weeks after law enforcement announced that the Dridex botnet had been significantly disrupted as part of a global operation.

Director of security analytics at Invincea told that the security firm has recently seen a number of localized Dridex variants targeting victims based on language and region. Since Oct. 22, Invincea has seen 60 instances of French users being targeted with the Dridex trojan, the advisory said. Specifically, those users had been targeted with weaponized Microsoft Office documents pretending to be receipts from retail stores and hotels.

Cyber criminals have stolen some £20 million from UK bank accounts using Dridex malware, according to the National Crime Agency. The agency is warning Internet users to protect themselves against the malware, also known as Bugat and Cridex, and say they are chasing down the "technically skilled" thieves.

One arrest has already been made. The "particularly virulent form of malware" has been developed by criminals in Eastern Europe, the NCA says, and it harvests online banking details to steal money from individuals and businesses globally. Computers become infected when users open documents from seemingly legitimate emails.

Dridex, the latest descendent of the banking Trojan lineage has been a constant source of attacks using the malware since its release in July. To date, Dridex has centered on sending executable attachments via e-mail.

That seems to have changed this week, as we’ve seen a tactical shift to sending those executable attachments via Microsoft Word documents loaded with macros that download and execute the malware. Like its precursors, Dridex is a sophisticated Banking Trojan, similar to the infamous Zeus malware. Its core functionality is to steal credentials of online banking websites and allow a criminal to use those credentials to initiate transfers and steal funds.