'Millions' of Microsoft Word users hit with banking virus exploiting unpatched vulnerability

An unpatched zero-day security vulnerability impacting every version of Microsoft Word has been exploited by hackers to spread a notorious banking Trojan called Dridex to millions of users around the world, security researchers have revealed.

Experts from Proofpoint, a US cybersecurity firm, said on 10 April (Monday) they had observed a widespread email campaign spreading the malware, building on previous warnings from companies McAfee and FireEye which first exposed the existence of the security flaw.

Initially, McAfee researchers said the earliest attack detected was in January this year, explaining samples suggested that Microsoft Word files were being laced with malware and could hit all versions of Office, including the latest software running on Windows 10.

What's worse is there was no fix for the general user, so despite the previously undetected bug being discovered users remained at risk.*

The tech giant, which has remained tight-lipped in the face of such a serious cybersecurity issue, is expected to push out a patch this week (11 April).

In a blog post, Proofpoint researchers said the vulnerability represents a "significant level of agility and innovation" for the developers of the Dridex banking Trojan, which traditionally spreads to Windows users via macro-based documents in email attachments.

The researchers said the campaign the first known case using the recently-exposed zero-day. In this instance, the team said the campaign was sent to "millions of recipients" across numerous of unnamed organisations, with a large amount located in Australia.

It said: "When recipients open the document, the exploit – if successful – is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user's system.

"During our testing (on Office 2010) the vulnerable system was fully exploited despite the fact that users were presented a dialog about the document containing 'links that may refer to other files' [and] user interaction was not required."

Sherrod DeGrippo, director of emerging threats at Proofpoint said: "Threat actors continue to demonstrate their flexibility and adaptability.

"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign."

It is highly advised that both users and organisations apply the patch as soon as it becomes available.

*See here for a technical solution to the issue.

Text: "You can block the Word RCE by setting: SoftwareMicrosoftOffice15.0WordSecurityFileBlockRtfFiles to 2 and OpenInProtectedView to 0"