The Microsoft zero-day found over the weekend is being exploited in a large email campaign distributing the Dridex banking Trojan.
Emails with a malicious Microsoft Word attachment with spoofed addresses are using "Scan Data" as the subject line. It’s not a sophisticated lure, but there aren’t necessarily any blatant red flags, either.
“This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails,” said Proofpoint researchers, in an analysis of the offensive. “While a focus on exploiting the human factor—that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks—remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively.”
This, the first widespread campaign Proofpoint has observed that leverages the newly disclosed bug, has targeted millions of recipients across numerous organizations in the past few days, primarily in Australia.
That said, other researchers noted that the zero-day may have been targeting Microsoft Word users as early as late January. The attack allows hackers to remotely execute code on a targeted computer, including, as in this case, the Dridex Trojan. However the threat could be used to silently deliver multiple types of malware and, because it’s a logical bug, can bypass any memory-based mitigations, according to McAfee.
Microsoft is expected to issue a patch within the day. “Because of the widespread effectiveness and rapid weaponization of this exploit, it is critical that users and organizations apply the patch as soon as it becomes available,” Proofpoint said.