A recently revealed zero-day vulnerability in Microsoft Office is being exploited by the Dridex banking Trojan to compromise unsuspecting victims’ computers, Proofpoint security researchers warn.
Detailed recently by McAfee and FireEye, the zero-day allows an attacker to achieve code execution on compromised machines. Leveraging Office’s Object Linking and Embedding (OLE) functionality, an attacker could create a malicious RTF (Rich Text Format) document that links to an HTA (HTML Application) file hosted on remote servers, which in turn executes a malicious Visual Basic script.
According to Proofpoint, the vulnerability is currently being exploited in malicious documents that millions of recipients across various organizations primarily in Australia have received via email, and which eventually led to the Dridex Trojan being installed on the compromised system.
The campaign features messages supposedly coming from “<[device]@[recipient’s domain]>”, where [device] could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner.” All emails use “Scan Data” as subject line, while the attached Microsoft Word RTF document is named “Scan_xxxx.doc” or “Scan_xxxx.pdf.”
“Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” Proofpoint says.
When the malicious document is opened, the exploit carries out a series of operations that eventually result in Dridex botnet ID 7500 being installed on the victim’s system. The security researchers noticed that the exploit worked without user interaction: the system was compromised even if the user was presented a dialog about the document containing “links that may refer to other files.”
The particular instance of Dridex distributed as part of this infection campaign was observed using over 100 injects for known banks and for various other popular applications and online destinations.
“Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit “the human factor,” this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts,” Proofpoint says.
Related: Critical Office Zero-Day Exploited in Attacks
Related: Dridex Trojan Uses New Tactic to Bypass User Account Control