Dridex Trojan Campaign Ravages with New Zero-Day

  • Dridex Trojan Campaign Ravages with New Zero-Day

Dridex Trojan Campaign Ravages with New Zero-Day

It turned out that these files exploited a zero-day vulnerability in Microsoft Word to install a malware.

The attack starts as an innocent-looking Word document that comes attached to an email, but is booby-trapped with an OLE2link object.

The gang behind the Dridex computer trojan has adopted an unpatched Microsoft Word exploit and used it to target millions of users. Exploiting the faulty code string enables the perpetrators to create malicious RTF (Rich Text Format) files, connected to HTA (HTML Application) files from remote servers. "Because.hta is executable, the attacker gains full code execution on the victim's machine", stated McAfee. The attacks are able to bypass other exploit mitigations as well.

The Word document exploit at the centre of the attack was only discovered last week, so its abuse represents a rapid weaponizisation of the exploit.

McAfee says that it has already contacted Microsoft regarding this risky malware and they are expected to roll out an update to its apps that fixes the flaw this week for its habitual Patch Tuesday bug release, reported Express.

"Even if you think you know the person who sent it, it doesn't matter", said Kevin Anderson. Once running the.hta file downloads additional payloads from "different well-known malware families" and then pops up a real word document to hide its activities. The zero-day isn't exploited via macro scripts, but an embedded OLE object that executes automatically when the victim opens the file.

Proofpoint also urged Microsoft Word users to install the security updates quickly.

Researchers from a number of security companies have warned about the vulnerability, which Microsoft has yet to acknowledge publicly. While Microsoft works on a patch, McAfee recommends not opening any Office files obtained from untrusted sources, and also enabling Office Protected View. One is an Internet Explorer vulnerability that allows attackers to access sensitive information from one domain and inject it into another address. After McAfee's limited public disclosure, researchers from FireEye confirmed having tracked the attacks for several weeks as well.

The vulnerability has been known about since early January, when security researchers observed attackers exploiting the flaw.

McAfee advised users on how to prevent themselves from this malicious program while waiting for an official announcement and security patch from Microsoft (which McAfee has already notified).