Microsoft Word zero-day flaw 'used to infect millions'

Researchers spot mass Dridex email campaign before Microsoft patched the vulnerability

Hackers are taking advantage of a newly revealed Microsoft Word zero-day to mount a very large campaign infecting the systems of millions of recipients across numerous organisations.

Cyber criminals are exploiting the vulnerability to spread Dridex malware, according to ablog postby IT security firm Proofpoint. Victims are sent an attached Microsoft Word RTF (Rich Text Format) document via email- the malware exploits the way Microsoft handles OLE2Link objects. Researchers said this exploit bypasses most mitigations.

Advertisement - Article continues below

When recipients open the document, the exploit, if successful, is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user's system.

The researchers said that in testing, a vulnerable system was fully exploited even though users were presented a dialogue about the document containing "links that may refer to other files" (user interaction was not required).

"The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system," according to anadvisory by CERT at the Software Engineering Institute at Carnegie Mellon University.

Unusually, users do not have to enable macros for the exploit to work. Documents with macros are normally blocked from working by security features in Office and Windows.

Advertisement
Advertisement - Article continues below

Researchers said that campaign was the first they had observed that uses the newly disclosed Microsoft zero-day. "This represents a significant level of agility and innovation for Dridex actors," said researchers. They added: "This campaign was sent to millions of recipients across numerous organizations primarily in Australia."

Advertisement - Article continues below

ITProasked Microsoft whether it had seen evidence of the mass email campaign. The vendor released its patch for the flaw yesterday, but this would be too late for anyone who had clicked on a malicious email before then.

A Microsoft spokesperson said that the flaw "was addressed in the April security update release on April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected."

Sherrod DeGrippo, director of Emerging Threats atProofpoint, told IT Pro that threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users.

"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit," he said.

11/04/2017:Microsoft releases update to patch Word bug

Advertisement - Article continues below

Microsoft has announced a patch for a flaw in Microsoft Word thatallowed hackers to gain access to a victim's machine.

Microsoft will fix the bug, which surfaced last weekend, as part of today's Patch Tuesday.

A Microsoft spokesmansaid: "We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically."

The spokesman added: "Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."

Security researchers at FireEye and McAfee discovered the zero-day bug, finding that it enabled hackers to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit.

Advertisement
Advertisement - Article continues below

Finding various malicious Office documents which exploited the vulnerability, the researchers found the exploit downloads and executes malware payloads from various well known malware families.

Advertisement - Article continues below

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, McAfee wrote inablog post. As .hta is executable, the attacker can access the victim's machine as they gain full code execution.

10/04/2017:Zero-day bug in Word could allow hackers to take over your PC

Security researchers at two companies have revealed a flaw in Microsoft Word that could allow hackers to gain full access to a victim's machine.

A previously undisclosed vulnerability in Microsoft Office RTF documents enables a hacker to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit, according toFireEye and McAfee.

Researchers found several malicious Office documents exploiting the vulnerability, which downloads and executes malware payloads from different well-known malware families.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, according to ablog postby McAfee. Because .hta is executable, the attacker gains full code execution on the victim's machine.

Advertisement - Article continues below

"Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft," said Haifei Li, senior vulnerability researcher at McAfee.

He added that the successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system. Li said that the root cause of the zero-day vulnerability is related to Windows Object Linking and Embedding (OLE).

Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available.He added that FireEye has updated its email and network products to detect the attack.

In tests carried out by McAfee, Li said the attack cannot bypass the OfficeProtected View. He suggested that users enable Office Protected View.

Microsoft's Patch Tuesday release of fixes is due tomorrow. There is no word on whether this bug will be fixed in that set of updates.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020