This weekend saw multiple reports of a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.
This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor – that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks – remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.
Analysis
Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “<[device]@[recipient’s domain]>”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.