Since Microsoft has released a patch, you should update

Apr 12, 2017 01:32 GMT  ·  By

That zero-day vulnerability affecting all versions of Microsoft Word was being used for more than one purpose it seems, including in a large email campaign spreading the Dridex banking trojan. 

In the past few days, it was announced that a serious security flaw in Microsoft Word made it possible for hackers to hijack computers with the help of a malicious RTF document hiding code which downloads the malware on the victim's computer.

According to security firm Proofpoint, however, the vulnerability was also exploited in a large-scale email campaign spreading Dridex left and right, although it seems that most of those who received infected emails lived in Australia.

"This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor - that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks - remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day," Proofpoint writes.

How it works

The scam worked as it always does. An individual received an email containing an attachment. The subject line in all cases read "Scan Data" and the email contained attachments including the word "scan" and random numbers.

Once the document was opened, the exploit was used to carry out a series of actions leading to the installation of the Dridex botnet.

"Many combinations of Microsoft Word and Windows support 'Protected View' for documents downloaded from the internet or opened directly from the email. In these cases, the user needs to 'Enable Editing' before the exploit runs. However, most users are accustomed to enabling editing," researchers note.

Thankfully, however, Microsoft has issued a patch for this vulnerability, as promised. That being said, you have to make sure you update Microsoft Office as soon as possible so that you can patch up before other exploits appear in the wild trying to take advantage of the situation.