Microsoft Word zero-day flaw 'used to infect millions'

Researchers spot mass Dridex email campaign before Microsoft patched the vulnerability

Hackers are taking advantage of a newly revealed Microsoft Word zero-day to mount a very large campaign infecting the systems of millions of recipients across numerous organisations.

Cyber criminals are exploiting the vulnerability to spread Dridex malware, according to ablog postby IT security firm Proofpoint. Victims are sent an attached Microsoft Word RTF (Rich Text Format) document via email- the malware exploits the way Microsoft handles OLE2Link objects. Researchers said this exploit bypasses most mitigations.

When recipients open the document, the exploit, if successful, is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user's system.

The researchers said that in testing, a vulnerable system was fully exploited even though users were presented a dialogue about the document containing "links that may refer to other files" (user interaction was not required).

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"The Microsoft OLE2Link object can open application data based on the server-provided MIME type, which can allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system," according to anadvisory by CERT at the Software Engineering Institute at Carnegie Mellon University.

Unusually, users do not have to enable macros for the exploit to work. Documents with macros are normally blocked from working by security features in Office and Windows.

Researchers said that campaign was the first they had observed that uses the newly disclosed Microsoft zero-day. "This represents a significant level of agility and innovation for Dridex actors," said researchers. They added: "This campaign was sent to millions of recipients across numerous organizations primarily in Australia."

ITProasked Microsoft whether it had seen evidence of the mass email campaign. The vendor released its patch for the flaw yesterday, but this would be too late for anyone who had clicked on a malicious email before then.

A Microsoft spokesperson said that the flaw "was addressed in the April security update release on April 11, 2017. Customers who applied the update, or have automatic updates enabled, are already protected."

Sherrod DeGrippo, director of Emerging Threats atProofpoint, told IT Pro that threat actors continue to demonstrate their flexibility and adaptability, rapidly taking advantage of new means of infecting users.

Advertisement - Article continues below

"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits. New, exploitable vulnerabilities are often not readily available but, in this case, attackers obviously jumped at an opportunity to launch a large campaign that relied on this new exploit," he said.

11/04/2017:Microsoft releases update to patch Word bug

Microsoft has announced a patch for a flaw in Microsoft Word thatallowed hackers to gain access to a victim's machine.

Microsoft will fix the bug, which surfaced last weekend, as part of today's Patch Tuesday.

Advertisement
Advertisement - Article continues below

A Microsoft spokesmansaid: "We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically."

The spokesman added: "Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue."

Advertisement - Article continues below

Security researchers at FireEye and McAfee discovered the zero-day bug, finding that it enabled hackers to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit.

Finding various malicious Office documents which exploited the vulnerability, the researchers found the exploit downloads and executes malware payloads from various well known malware families.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, McAfee wrote inablog post. As .hta is executable, the attacker can access the victim's machine as they gain full code execution.

10/04/2017:Zero-day bug in Word could allow hackers to take over your PC

Security researchers at two companies have revealed a flaw in Microsoft Word that could allow hackers to gain full access to a victim's machine.

A previously undisclosed vulnerability in Microsoft Office RTF documents enables a hacker to execute a Visual Basic script when the user opens a malicious document sent to them containing an embedded exploit, according toFireEye and McAfee.

Advertisement - Article continues below

Researchers found several malicious Office documents exploiting the vulnerability, which downloads and executes malware payloads from different well-known malware families.

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file, according to ablog postby McAfee. Because .hta is executable, the attacker gains full code execution on the victim's machine.

Advertisement
Advertisement - Article continues below

"Thus, this is a logical bug, and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft," said Haifei Li, senior vulnerability researcher at McAfee.

He added that the successful exploit closes the bait Word document, and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system. Li said that the root cause of the zero-day vulnerability is related to Windows Object Linking and Embedding (OLE).

Genwei Jiang, senior research engineer at FireEye, said that Microsoft Office users are recommended to apply a patch as soon as one is available.He added that FireEye has updated its email and network products to detect the attack.

In tests carried out by McAfee, Li said the attack cannot bypass the OfficeProtected View. He suggested that users enable Office Protected View.

Advertisement - Article continues below

Microsoft's Patch Tuesday release of fixes is due tomorrow. There is no word on whether this bug will be fixed in that set of updates.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/business/business-strategy/354304/ex-apple-cpu-architect-accuses-the-firm-of-invading-privacy
Business strategy

Ex-Apple CPU architect accuses the firm of invading privacy

10 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019