Biz & IT —

Microsoft Word 0-day used to push dangerous Dridex malware on millions

Blast could give a boost to Dridex, one of the Internet's worst bank fraud threats.

A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day.
Enlarge / A sample e-mail from Dridex campaign exploiting Microsoft Word zero-day.
Proofpoint

Booby-trapped documents exploiting a critical zero-day vulnerability in Microsoft Word have been sent to millions of people around the world in a blitz aimed at installing Dridex, currently one of the most dangerous bank fraud threats on the Internet.

As Ars reported on Saturday, the vulnerability is notable because it bypasses exploit mitigations built into Windows, doesn't require targets to enable macros, and works even against Windows 10, which is widely considered Microsoft's most secure operating system ever. The flaw is known to affect most or all Windows versions of Word, but so far no one has ruled out that exploits might also be possible against Mac versions. Researchers from security firms McAfee and FireEye warned that the malicious Word documents are being attached to e-mails but didn't reveal the scope or ultimate objective of the campaign.

In a blog post published Monday night, researchers from Proofpoint filled in some of the missing details, saying the exploit documents were sent to millions of recipients across numerous organizations that were primarily located in Australia. Proofpoint researchers wrote:

This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor—that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks—remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.

Analysis

Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.

Microsoft, which according to McAfee has known of the remote-code vulnerability since January, has yet to issue any sort of public advisory. It's hard to excuse the silence given the scope of the exploit campaign reported by Proofpoint, which is now at least the third security company to publicly warn of the critical vulnerability since Friday. Once known for openly discussing its security challenges, Microsoft over the past year has grown increasingly reticent. Whereas it used to issue useful, actionable guidance when zero-days became public, company officials often decline comment or, worse, dispense with marketing flackery.

Researchers from multiple security companies have said the company plans to release a security update for the critical Word flaw on Tuesday as part of the company's normal Patch Tuesday routine. Given the aggressiveness of the Dridex campaign, people should remain extremely wary of any Word document attached to an e-mail, even when it appears to be sent from someone the recipient knows. The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View. That means people should think carefully before editing or printing a received document or doing anything else that requires Protected View to be disabled. People can also prevent exploits from working by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.

Update, 4/11/2017 9:53 California time: Ryan Hanson, a researcher at security firm Optiv who discovered the Word vulnerability last July and reported it to Microsoft in October, says exploits can bypass Protected View mitigations. He said the registry tweak outlined above prevents such bypasses from working.

Listing image by 4rank

Channel Ars Technica