MS Word’s zero-day vulnerability helps to spread Dridex Trojan
Microsoft developers now have a serious conundrum on their hands as three major security vendors have recently exposed a zero-day vulnerability in Microsoft Word code [1] which allows delivering and executing an infamous Dridex banking Trojan on the targeted computers. According to the findings, this new type of malware is primarily circling within the Australian borders [2], but can easily spread to the rest of the world, given the opportunity. The new virus leaves all the anti-exploit protection measures obsolete even in the latest Microsoft Word versions, including the ones running on Windows 10. It is interesting that unlike most Word-based viruses, this one does not require Macros [3] to be enabled. Mysterious nature of this security bug fuels speculations of its ability to infiltrate Mac operating systems as well. As long as this hypothesis hasn’t been confirmed, both Windows and Mac OS users should remain alerted.
Millions have already received Dridex-infected Word documents to their email inboxes, and a considerable number of them have unknowingly allowed the virus to enter their computers. Dridex is a serious cyber threat which has been actively infecting computers since 2014 and since then has accumulated an enormous profit for its creators. The Trojan’s working principle is simple: it infiltrates the computer, connects it to a malicious botnet and consistently collects online banking credentials while silently running in the background of the system. The consequences of Dridex infiltration usually involve identity theft and major financial losses, so this Trojan definitely not the type of malware you want to find its way on your computer. Luckily, malware research experts at Proofpoint have managed to distinguish some patterns [4] that may help recognize the virus and avoid it.
Since the virus travels by mail, the best you can do to determine whether an email you’ve received might carry malicious content is by looking at the email’s sender, subject line, and the attachments section. When it comes to the sender, it may vary. The spam campaign currently uses the form <[device]@[recipient's domain]> to conceal the sender’s address and rotates between “copier”, “documents”, “noreply”, “no-reply”, or “scanner” adding these items instead of [device]. The subject line is static, tough. In all the investigated instances Proofpoint expert have found that it reads “Scan Data.” Finally, the attachments. These might include .doc or .pdf files labeled something like “Scan_[random digits].doc” or “Scan_[random digits.pdf”. Please note that Protected View mode [5] also prevents the vulnerability from being utilized, so you might want to keep Protected View enabled until Microsoft patches up the zero-day in the next update.
- ^ Dan Goodin. Microsoft Word 0day used to push dangerous Dridex malware on millions. ArsTechnica. Serving the technologist for 1.2 decades.
- ^ Sara Barker. Dridex banking trojan targets Australian organisations. SecurityBrief. Australia's leading source of security and threat news.
- ^ Will Dormann. Who needs to exploit vulnerabilities when you have macros?. SEI Insights. A collection of five blogs that cover Software Engineering, Vulnerability Analysis, Insider Threat, Development Operations, and our architecture technology user network.
- ^ Dridex campaigns hitting millions of recipients using unpatched Microsoft zero-day. Proofpoint. Leader in Advanced Cybersecurity Solutions.
- ^ What is protected view?. Microsoft. Microsoft support page.