A zero-day vulnerability is affecting all Windows versions of Microsoft Office, and that vulnerability is being exploited in an email campaign that distributes the notorious Dridex banking trojan.
Yesterday Proofpoint researchers discovered the activity, which was delivered to millions of organisations in Australia.
“We believe one of the reasons Dridex actors targeted millions of Australian recipients, across numerous organisations, with this recent Microsoft Word 0-day vulnerability because they wanted to take advantage of the small window before it was patched," explains Bryan Burns, vice president of Threat Research, Proofpoint.
"Sending it to Australian organisations early on Tuesday morning Australian time/late Tuesday U.S. time provided a longer window of possible exposure. Because of the widespread effectiveness and rapid weaponisation of this recent 0-day vulnerability, it is critical that users and organisations apply today’s Microsoft patch as soon as possible," he says.
The emails use spoofed email domains and attachments that pretend they are scanned documents to lure users into opening them.
A statement from proofpoint says that “Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "<[device]@[recipient's domain]>". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits.”
Microsoft has been quick off the mark to release a patch for the vulnerability, which also affected Office 2016.
Researchers say the Dridex attackers have changed their methods significantly, as they previously relied on document macros in email attachments.
This time the vulnerability doesn’t require macros to be enabled - the first campaign of its kind to use the newly-disclosed Microsoft zero-day.
"Threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users. Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits,” comments Sherrod DeGrippo, director of Emerging Threats for Proofpoint.
“New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit,” deGrippo says.
Proofpoint says that while social engineering and the human factor are both an important part of threat landscape, attackers will still use vulnerabilities and tools to conduct malware attacks.