The still unpatched MS Office zero-day vulnerability publicized by McAfee and FireEye researchers this weekend is being exploited to deliver the infamous Dridex banking malware.
Exploit delivered through spam email
ProofPoint researchers observed the exploit being leveraged through a spam email campaign directed at millions of recipients across numerous organizations, primarily located in Australia.
“Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from ‘<[device]@[recipient's domain]>‘. [device] may be ‘copier’, ‘documents’, ‘noreply’, ‘no-reply’, or ‘scanner’. The subject line in all cases read ‘Scan Data’ and included attachments named ‘Scan_123456.doc’ or ‘Scan_123456.pdf’, where ‘123456’ was replaced with random digits,” they shared.
This particular Dridex variant is capable of detecting when users access online banking portals of various Australian banks and other popular sites (Bing, Yahoo, etc.), and to inject phishing forms and pages into them.
We often hear of cyber espionage groups leveraging zero-day exploits against specific targets, but it’s unusual for banking malware peddlers to use them.
“This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails,” the researchers noted.
Patch expected today
Microsoft is planning to address this issue via an update sheduled to be released later today, as part of its regular monthly Patch Tuesday. Users who have not enabled automatic updates would do well to implement it as soon as possible.
“Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue,” the company noted.
It’s almost mid April now and, according to McAfee, attackers have been using the exploit since late January. Microsoft obviously knew about the flaw and has been preparing the patch, but it did not deem it necessary for the public to be informed about the attacks, even though the exploit requires no user interaction apart from opening a booby-trapped file, and the crooks were and are obviously targeting a wide swath of the Windows-using populace.
It is still unknown whether the exploit might work against MS Office on Mac or Linux.
UPDATE: Microsoft has pushed out patches for the vulnerability, users can find the right one for them here. Also, FireEye has shared details about two more email campaigns taking advantage of the flaw, and infecting users with LATENTBOT and the WingBird dropper.