Now, according to safety theater Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.
Dridex is currently 1 of the most unsafe banking trojans on the Internet that exhibits the typical demeanour of monitoring a victim's traffic to banking concern sites yesteryear infiltrating PCs in addition to stealing victim's online banking credentials in addition to fiscal data.
The Dridex actors commonly relied on macro-laden Word files to distribute the malware through spam messages or emails.
However, this is the get-go fourth dimension when researchers flora the Dridex operators using an unpatched zero-day flaw inward Microsoft Word for distributing their banking trojan.
According to a blog post published Mon nighttime yesteryear Proofpoint, the latest Dridex spam crusade is delivering Word documents weaponized alongside this zero-day to millions of recipients across several organizations, including banks primarily located inward Australia.
"Emails inward this crusade used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to hold out from "[device]@[recipient's domain]." [Device] may hold out "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.
As nosotros reported on Saturday, this zero-day flaw is severe because it gives hackers powerfulness to bypass most exploit mitigations developed yesteryear Microsoft, in addition to dissimilar yesteryear Word exploits seen inward the wild, it doesn't request victims to enable Macros.
"The bailiwick business inward all cases read "Scan Data" in addition to included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced alongside random digits...the spoofed electronic mail domains in addition to the mutual exercise of emailing digitized versions of documents brand the lures fairly convincing."
Moreover, given the danger of Dridex – likewise known every bit Bugat in addition to Cridex – banking trojan, people are strongly advised non to opened upward Word documents attached to an electronic mail from anyone, fifty-fifty if you lot know the sender until Microsoft releases a patch.
Microsoft knew of the flaw real long ago
According to researchers at McAfee in addition to FireEye, Microsoft has known of the remote code flaw since Jan in addition to could liberate a spell for the vulnerability today, every bit constituent of its regular Patch Tuesday routine.
However, an independent safety researcher Ryan Hanson claimed that he discovered this 0-day, along alongside the 2 other flaws, inward July in addition to reported it to Microsoft inward Oct 2016.
"The initial regain was inward July, which was followed upward yesteryear additional query in addition to the identification of a protected thought bypass vulnerability. Those 2 bugs in addition to an additional Outlook põrnikas were submitted to MS inward October," Hanson told The Hacker News.
"There may real good hold out additional HTA related vectors inward Office, but based on the exceptional provided yesteryear McAfee, the vulnerability they've identified functions just similar the 1 I disclosed. The solely departure I meet is the VBScript payload, since my payload just executed calc.exe."If the claims made yesteryear Hanson is truthful in addition to his reported vulnerability is the same beingness used inward the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks fifty-fifty afterward beingness known of the critical flaw for quite long.
Enable 'Protected View' inward Microsoft Office to Prevent Attack
Since the assault does non piece of employment when a malicious document is viewed inward Office Protected View, users are advised to enable this characteristic inward lodge to thought whatever Office documents.
For to a greater extent than technical details virtually the latest Dridex malware crusade exploiting the unpatched Microsoft Word flaw, you lot tin caput on to the blog post published yesteryear Proofpoint.
