- Type of attack: Dridex banking trojan exploiting critical Microsoft Word zero-day vulnerability
- Attack vector: Email
- Extent of attack: Millions have been targeted in high-volume phishing campaign
A Dridex banking trojan campaign exploiting the new Microsoft Word zero-day vulnerability may be a sign of more attacks to come. Here's what you need to know.
Shortly after news broke that a new zero-day vulnerability was affecting all versions of Microsoft Office, criminals behind the Dridex banking trojan wasted no time launching a massive email campaign designed to actively exploit it.
The vulnerability, which is specifically related to the Windows Object Linking and Embedding (OLE) feature, was particularly dangerous because it allowed attackers to infect victims without having to trick them into enabling macros. Once infected with Dridex, victims are at risk of having their credentials and banking information stolen for use in fraudulent transactions.
Microsoft has since issued a patch for the vulnerability (CVE-2017-0199), but the attacks are the latest indication that high-volume Dridex campaigns are ramping back up in a big way. In addition to patching, companies should take additional precautions outlned below.
How victims are getting infected
According to researchers at Proofpoint, emails in the Dridex campaign are disguised as messages from office printers and copiers delivering scanned documents. Attackers make these emails convincing by spoofing company email domains.
Sample email from Dridex phishing campaign. Source: Proofpoint
In each case, the subject line was "Scan data," though the sender was listed as several variations including "scanner", "documents", and "noreply".
The attachment is a Microsoft Word Rich Text Format (RTF) document.
How the exploit works
When a user opens the document the exploit calls out to a remote server to retrieve a malicious HTA file (HTML application). Because HTA runs as a fully trusted application, it has a lot more privileges than a normal HTML file.
As McAfee researchers point out in their detailed write-up of the exploit, the HTA file is actually disguised as another RTF doc to further evade detection. Its job is to load and execute malicious Visual Basic scripts that install the Dridex payload.
While all that is happening in the background, the scripts also closes the initial RTF Word doc and load another decoy Word doc for the user to see.
In the Dridex samples leveraging the exploit that Proofpoint found, Word did present users with a dialog box informing them the document contained "links that may refer to other files," but the infection proceeded regardless of whether a user interacted with it or not.
Users were infected regardless of whether they interacted with this dialog box. Source: Proofpoint
Researchers also noted that running Microsoft Word in "Protected View" provided the additional requirement that users agree to "enable editing," though they cautioned that likely wasn't much of a hurdle.
A sign of more Dridex attacks to come?
While additional research from FireEye suggests the criminals behind Dridex weren't the only group exploiting this zero-day vulnerability, the fact that they were seemingly able to put together a massive email campaign to do so this quickly after the vulnerability was disclosed speaks to the operation's renewed capabilities.
After a nine-month-long lull that started last June (when many Dridex distribution channels began delivering Locky ransomware instead), it appears Dridex may be experiencing a dramatic resurgence.
Proofpoint has been tracking a sudden spike in Dridex campaigns since March 30, 2017, and while the volume hasn't come close to reaching the previous peak seen in early 2016, the amount of variation in the new campaigns suggests considerable levels of renewed effort and investment, as well as a concerning eagerness to experiment with new tricks and tactics.
Dridex campaign volumes just experienced a dramatic spike. Source: Proofpoint
Are we about to experience a return to previous Dridex levels? Source: Proofpoint
How to protect your organization from Dridex
First things first: As far as the immediate threat of attacks leveraging the Microsoft Word vulnerability goes, organizations should install Microsoft's patch as soon as possible.
In addition, users should be warned to apply additional scrutinty to any Office document they receive via email, avoiding opening any attachments from sources they don't know or trust.
While this specific exploit did not require the use of Office macros, many other Dridex campaigns still do. At the very least, advise users not to enable macros in documents they receive via email. If possible, disable macros by default.
Enabling Protected View for Office documents can also provide additional protection.
Next: Deploy security that blocks Dridex at runtime.
Even when attackers find novel ways to bypass pre-execution defenses — by exploiting a zero-day vulnerability, for example — Barkly's runtime malware defense (RMD) recognizes and blocks malicious activity anytime a payload attempts to execute.
That means Barkly customers were protected against the Dridex campaign that used the Microsoft Word zero-day, and they're protected against other Dridex campaigns, as well.
Find out more about how RMD works in our Complete Guide to Runtime Malware Defense.
To see RMD in action, check out our post, "Stopping Cerber Ransomware During Runtime".