Story image

Dridex email campaign hits Australia: Patch your MS Office software now

12 Apr 2017

A zero-day vulnerability is affecting all Windows versions of Microsoft Office, and that vulnerability is being exploited in an email campaign that distributes the notorious Dridex banking trojan.

Yesterday Proofpoint researchers discovered the activity, which was delivered to millions of organisations in Australia.

“We believe one of the reasons Dridex actors targeted millions of Australian recipients, across numerous organisations, with this recent Microsoft Word 0-day vulnerability because they wanted to take advantage of the small window before it was patched," explains Bryan Burns, vice president of Threat Research, Proofpoint.

"Sending it to Australian organisations early on Tuesday morning Australian time/late Tuesday U.S. time provided a longer window of possible exposure. Because of the widespread effectiveness and rapid weaponisation of this recent 0-day vulnerability, it is critical that users and organisations apply today’s Microsoft patch as soon as possible," he says.

The emails use spoofed email domains and attachments that pretend they are scanned documents to lure users into opening them.

A statement from proofpoint says that “Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "<[device]@[recipient's domain]>". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits.”

Microsoft has been quick off the mark to release a patch for the vulnerability, which also affected Office 2016.  

Researchers say the Dridex attackers have changed their methods significantly, as they previously relied on document macros in email attachments.

This time the vulnerability doesn’t require macros to be enabled - the first campaign of its kind to use the newly-disclosed Microsoft zero-day.

"Threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users. Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits,” comments Sherrod DeGrippo, director of Emerging Threats for Proofpoint.

“New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit,” deGrippo says.

Proofpoint says that while social engineering and the human factor are both an important part of threat landscape, attackers will still use vulnerabilities and tools to conduct malware attacks.

Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.