Over the weekend, a new previously undetected zero-day vulnerability was reported in Word, affecting all versions including Word 2016. The Cybersecurity firm Proofpoint discovered that this bug is being actively exploited by a large e-mail campaign.
According to Proofpoint, the campaign is targeting various organisations across Australia, delivering the Dridex banking Trojan. This gives the Dridex a significant benefit over its previous scams that depend on Marco-infected documents.
Every e-mail Proofpoint examined using this exploit over the weekend used the same e-mail template. The subject is consistently “Scan Data”, with the ‘From’ field spoofing an internal e-mail domain contact. The attachment name is “Scan_”, followed by a series of digits, such as ‘Scan_652019.doc’.
When the attachment is opened, it automatically attempts to install the Dridex botnet ID 7500. If “Protected View” is not enabled in word, no user interaction is required for the exploit to take hold, regardless of any message that appears. If a ‘Protected View’ banner appears (common with e-mailed documents), the user just needs to click ‘Enable Editing’ for the exploit to run.
Microsoft has patched this exploit on April 11, 2017. Due to the effectiveness of this exploit and it being actively targeted, users and organisations should apply the patch as soon as possible.
The same Word bug is also now being exploited to install Malware with the names Godzilla and Latenbot, according to Ars Technica.