Now, according to safety theatre Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.
Dridex is currently i of the most unsafe banking trojans on the Internet that exhibits the typical demeanor of monitoring a victim's traffic to banking concern sites yesteryear infiltrating PCs in addition to stealing victim's online banking credentials in addition to fiscal data.
The Dridex actors unremarkably relied on macro-laden Word files to distribute the malware through spam messages or emails.
However, this is the get-go fourth dimension when researchers flora the Dridex operators using an unpatched zero-day flaw inwards Microsoft Word for distributing their banking trojan.
According to a blog post published Mon nighttime yesteryear Proofpoint, the latest Dridex spam receive is delivering Word documents weaponized amongst this zero-day to millions of recipients across several organizations, including banks primarily located inwards Australia.
"Emails inwards this receive used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to last from "[device]@[recipient's domain]." [Device] may last "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.
As nosotros reported on Saturday, this zero-day flaw is severe because it gives hackers powerfulness to bypass most exploit mitigations developed yesteryear Microsoft, in addition to dissimilar yesteryear Word exploits seen inwards the wild, it doesn't ask victims to enable Macros.
"The dependent champaign describe of piece of job inwards all cases read "Scan Data" in addition to included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced amongst random digits...the spoofed electronic mail domains in addition to the mutual practise of emailing digitized versions of documents brand the lures fairly convincing."
Moreover, given the danger of Dridex – every bit good known every bit Bugat in addition to Cridex – banking trojan, people are strongly advised non to opened upwards Word documents attached to an electronic mail from anyone, fifty-fifty if you lot know the sender until Microsoft releases a patch.
Microsoft knew of the flaw really long ago
According to researchers at McAfee in addition to FireEye, Microsoft has known of the remote code flaw since Jan in addition to could unloose a piece for the vulnerability today, every bit component of its regular Patch Tuesday routine.
However, an independent safety researcher Ryan Hanson claimed that he discovered this 0-day, along amongst the 2 other flaws, inwards July in addition to reported it to Microsoft inwards Oct 2016.
"The initial regain was inwards July, which was followed upwards yesteryear additional enquiry in addition to the identification of a protected persuasion bypass vulnerability. Those 2 bugs in addition to an additional Outlook põrnikas were submitted to MS inwards October," Hanson told The Hacker News.
"There may really good last additional HTA related vectors inwards Office, but based on the exceptional provided yesteryear McAfee, the vulnerability they've identified functions just similar the i I disclosed. The alone departure I run across is the VBScript payload, since my payload only executed calc.exe."If the claims made yesteryear Hanson is truthful in addition to his reported vulnerability is the same existence used inwards the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks fifty-fifty afterward existence known of the critical flaw for quite long.
Enable 'Protected View' inwards Microsoft Office to Prevent Attack
Since the ready on does non piece of job when a malicious document is viewed inwards Office Protected View, users are advised to enable this characteristic inwards club to persuasion whatever Office documents.
For to a greater extent than technical details nearly the latest Dridex malware receive exploiting the unpatched Microsoft Word flaw, you lot tin caput on to the blog post published yesteryear Proofpoint.
Share This :
comment 0 Comments
more_vert