Story image

Dridex email campaign hits Australia: Patch your MS Office software now

12 Apr 17

A zero-day vulnerability is affecting all Windows versions of Microsoft Office, and that vulnerability is being exploited in an email campaign that distributes the notorious Dridex banking trojan.

Yesterday Proofpoint researchers discovered the activity, which was delivered to millions of organisations in Australia.

“We believe one of the reasons Dridex actors targeted millions of Australian recipients, across numerous organisations, with this recent Microsoft Word 0-day vulnerability because they wanted to take advantage of the small window before it was patched," explains Bryan Burns, vice president of Threat Research, Proofpoint.

"Sending it to Australian organisations early on Tuesday morning Australian time/late Tuesday U.S. time provided a longer window of possible exposure. Because of the widespread effectiveness and rapid weaponisation of this recent 0-day vulnerability, it is critical that users and organisations apply today’s Microsoft patch as soon as possible," he says.

The emails use spoofed email domains and attachments that pretend they are scanned documents to lure users into opening them.

A statement from proofpoint says that “Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "<[device]@[recipient's domain]>". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits.”

Microsoft has been quick off the mark to release a patch for the vulnerability, which also affected Office 2016.  

Researchers say the Dridex attackers have changed their methods significantly, as they previously relied on document macros in email attachments.

This time the vulnerability doesn’t require macros to be enabled - the first campaign of its kind to use the newly-disclosed Microsoft zero-day.

"Threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users. Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits,” comments Sherrod DeGrippo, director of Emerging Threats for Proofpoint.

“New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit,” deGrippo says.

Proofpoint says that while social engineering and the human factor are both an important part of threat landscape, attackers will still use vulnerabilities and tools to conduct malware attacks.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”