MS Word’s zero-day vulnerability helps to spread Dridex Trojan

Microsoft developers now have a serious conundrum on their hands as three major security vendors have recently exposed a zero-day vulnerability in Microsoft Word code [1] which allows delivering and executing an infamous Dridex banking Trojan on the targeted computers. According to the findings, this new type of malware is primarily circling within the Australian borders [2], but can easily spread to the rest of the world, given the opportunity. The new virus leaves all the anti-exploit protection measures obsolete even in the latest Microsoft Word versions, including the ones running on Windows 10. It is interesting that unlike most Word-based viruses, this one does not require Macros [3] to be enabled. Mysterious nature of this security bug fuels speculations of its ability to infiltrate Mac operating systems as well. As long as this hypothesis hasn’t been confirmed, both Windows and Mac OS users should remain alerted.

Image of the Zero-day vulnerability in MS Word

Millions have already received Dridex-infected Word documents to their email inboxes, and a considerable number of them have unknowingly allowed the virus to enter their computers. Dridex is a serious cyber threat which has been actively infecting computers since 2014 and since then has accumulated an enormous profit for its creators. The Trojan’s working principle is simple: it infiltrates the computer, connects it to a malicious botnet and consistently collects online banking credentials while silently running in the background of the system. The consequences of Dridex infiltration usually involve identity theft and major financial losses, so this Trojan definitely not the type of malware you want to find its way on your computer. Luckily, malware research experts at Proofpoint have managed to distinguish some patterns [4] that may help recognize the virus and avoid it.

Since the virus travels by mail, the best you can do to determine whether an email you’ve received might carry malicious content is by looking at the email’s sender, subject line, and the attachments section. When it comes to the sender, it may vary. The spam campaign currently uses the form <[device]@[recipient's domain]> to conceal the sender’s address and rotates between “copier”, “documents”, “noreply”, “no-reply”, or “scanner” adding these items instead of [device]. The subject line is static, tough. In all the investigated instances Proofpoint expert have found that it reads “Scan Data.” Finally, the attachments. These might include .doc or .pdf files labeled something like “Scan_[random digits].doc” or “Scan_[random digits.pdf”. Please note that Protected View mode [5] also prevents the vulnerability from being utilized, so you might want to keep Protected View enabled until Microsoft patches up the zero-day in the next update.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions