Office Zero Day Used in Attacks
Wednesday, April 12, 2017 @ 10:04 AM gHale
Attackers are leveraging the Microsoft Office Zero Day to deliver the Dridex banking malware.
The vulnerability is undergoing exploitation via a spam email campaign directed at millions of recipients across numerous organizations, primarily located in Australia, said researchers at ProofPoint.
“Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from ‘<[device]@[recipient's domain]>‘. [device] may be ‘copier’, ‘documents’, ‘noreply’, ‘no-reply’, or ‘scanner’. The subject line in all cases read ‘Scan Data’ and included attachments named ‘Scan_123456.doc’ or ‘Scan_123456.pdf’, where ‘123456’ was replaced with random digits,” ProofPoint researchers said in a blog post.
This particular Dridex variant is capable of detecting when users access online banking portals of various Australian banks and other popular sites (Bing, Yahoo, etc.), and to inject phishing forms and pages into them.
In addition, FireEye has details about two more email campaigns taking advantage of the flaw, and infecting users with LATENTBOT and the WingBird dropper.
It is unusual for banking malware peddlers to leverage Zero Days against targets, the researchers said.
“This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails,” the researchers said.
Leave a Reply
You must be logged in to post a comment.