Story image

Dridex email campaign hits Australia: Patch your MS Office software now

12 Apr 2017

A zero-day vulnerability is affecting all Windows versions of Microsoft Office, and that vulnerability is being exploited in an email campaign that distributes the notorious Dridex banking trojan.

Yesterday Proofpoint researchers discovered the activity, which was delivered to millions of organisations in Australia.

“We believe one of the reasons Dridex actors targeted millions of Australian recipients, across numerous organisations, with this recent Microsoft Word 0-day vulnerability because they wanted to take advantage of the small window before it was patched," explains Bryan Burns, vice president of Threat Research, Proofpoint.

"Sending it to Australian organisations early on Tuesday morning Australian time/late Tuesday U.S. time provided a longer window of possible exposure. Because of the widespread effectiveness and rapid weaponisation of this recent 0-day vulnerability, it is critical that users and organisations apply today’s Microsoft patch as soon as possible," he says.

The emails use spoofed email domains and attachments that pretend they are scanned documents to lure users into opening them.

A statement from proofpoint says that “Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "<[device]@[recipient's domain]>". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits.”

Microsoft has been quick off the mark to release a patch for the vulnerability, which also affected Office 2016.  

Researchers say the Dridex attackers have changed their methods significantly, as they previously relied on document macros in email attachments.

This time the vulnerability doesn’t require macros to be enabled - the first campaign of its kind to use the newly-disclosed Microsoft zero-day.

"Threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users. Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits,” comments Sherrod DeGrippo, director of Emerging Threats for Proofpoint.

“New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit,” deGrippo says.

Proofpoint says that while social engineering and the human factor are both an important part of threat landscape, attackers will still use vulnerabilities and tools to conduct malware attacks.

Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.