Proofpoint security experts warn that Dridex banking Trojan exploits the latest Microsoft Office zero-day vulnerability to compromise users’ computers.
The zero-day allows hackers to achieve code execution on compromised machines. By using the Office’s Object Linking and Embedding (OLE) functionality, cyber criminals could write a malicious RTF (Rich Text Format) document which links to an HTA (HTML Application) file hosted on remote servers, executing a malicious Visual Basic script.
Proofpoint researchers claim that currently the vulnerability is being exploited in malicious documents delivered by email to millions of PC users across different organizations, primarily based in Australia. Thanks to these documents, the Dridex Trojan gets installed on the victims’ computers and compromises them.
The spam campaign includes messages which probably come from “”, where [device] could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner.” All emails use “Scan Data” as subject line, and the attached Microsoft Word RTF document is called “Scan_xxxx.doc” or “Scan_xxxx.pdf.”
“Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” Proofpoint team states.
Once the malicious document is opened, the exploit performs a series of operations which usually result in Dridex botnet ID 7500 being installed on the user’s PC.
According to security experts, the exploit worked without victim’s interaction. In other words, the system was compromised even if the user was presented a dialog about the document containing “links that may refer to other files.”
The experts noticed that the Dridex Trojan’s instance was distributed as part of a virus campaign, using over 100 injects for famous banks, different online destinations and well-known applications.
“Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit “the human factor,” this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts,” Proofpoint security team states.
