A vulnerability in Microsoft Office that was patched in April is currently actively attacked by cybercriminals. Once a computer that runs the vulnerable Office version opens an infected document, a backdoor is installed. Despite that the issue has been patched for some time already, there are still many users vulnerable, especially on enterprise computers where patches are usually not rolled out immediately.
By opening a malicious document the attacker is able to install malware on a vulnerable computer. Cybercriminals sent documents as “UPOS_update.doc”, “amendment.doc”, “Information 2.doc” and “Anti-Money Laundering & Suspicious cases.doc” that when opened exploit the unpatched vulnerability.
Cybercriminals already targeted the vulnerability before Microsoft patched it, but since August the amount of attacks has increased, according to antivirus vendor Sophos. When an user opens one of the mentioned documents, the code in the document will install a backdoor called Uwarrior on the computer. This provided the attackers full control over the computer.
To prevent infection Sophos recommends to properly patch Office and to avoid opening attachments of unsolicited mails.