Microsoft Word Flaw Used in Dridex Malware Campaign
- by Jacquelyn Byrd
- in IT&Software
- — Apr 13, 2017
Speaking on the Proofpoint website, a security analyst said: 'This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.
Cybersecurity firm Proofpoint, has discovered a Microsoft Word vulnerability that serves as an attack vector for Dridex malware.
The.hta file enables the attacker to gain full code-execution on the victim's machine - bypassing any memory-based mitigation developed by Microsoft.
The exploit also downloads and displays a fake Word document to the user to hide a user prompt generated by the OLE2link object, FireEye said. He said the Microsoft patch should automatically update tomorrow on computers running Windows versions 7, 8 and 10.
McAfee said it identified the attacks on Thursday and made a decision to release its advisory immediately, which appeared late on Friday. While Microsoft works on a patch, McAfee recommends not opening any Office files obtained from untrusted sources, and also enabling Office Protected View. Microsoft is reportedly working on a fix that should be available on Tuesday.
To mitigate the security flaw, users should download the most recent patch from Microsoft.
Sharks Cs Thornton, Couture day to day heading into playoffs
He has done his part and more to help the Edmonton Oilers make the Stanley Cup playoffs for the first time in more than 10 years. Defensively, the Vancouver Canucks are allowing 2.9 goals per game and are killing 76.9 percent of their opponents power plays.
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an.hta file, according to a blog post by McAfee.
According to the researchers, a victim opening a suspicious Word file - embedded with an OLE2link object - in an email would trigger winword.exe to initiate an HTTP request to the attacker's remote server.
Allen acknowledged that "it would take a skilled research team" to recreate the OLE vulnerability, but added, "We know there are threat actors out there who have that facility".
Business users regularly trade Office files via email, a fact that cyber-attackers rely on for their spam and phishing campaigns. On Tuesday, Microsoft would be scheduling its monthly security updates but the vulnerability of this patch would be included or not is still not known. He suggested that users enable Office Protected View.
But FireEye believes these attacks only began after the McAfee blog post and likely reverse engineered the vulnerability from the blog post.
Users of Microsoft Office are being warned of a new zero-day security flaw that has been exploited since at least January. Also, the attack can not bypass the Protected View in Word, so McAfee suggested enabling this view mode when opening documents just to be sure.