On April 8th 2017 a zeroday exploitable vulnerability was identified in Microsoft Office as a campaign of infected Word documents targeted users worldwide. The documents were sent out by a group known as Dridex, who are known for abusing Office Macros to install malware, but who have found a route that bypasses macros for this attack.
The Proofpoint Analysis is as follows:
Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from “”. [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.
While this particular email campaign was specifically targeted by a group that regularly attacks banking information it should be a concern for everyone who uses Microsoft Office because it reveals an exploit that others might make use of to send malicious files in the future.
The April 8th attack is disconcerting for several reasons:
- It is fairly sophisticated and infected files look like a file sent from a hardware in the target’s office.
- It avoids the most common routes of detection from antiviruses and security protocols by exploiting a new Microsoft vulnerability.
- Microsoft waited and unusually long time to disclose this vulnerability, which is surprising considering the scope of the attack and exploitation of Microsoft software.
- Zeroday attacks more commonly target individuals in high-security positions. Seeing an attack of this type launched against a wide base of users is unusual.
A patch for the vulnerability was released by Microsoft on Tuesday, April 11th. Regardless of whether or not your device is patched PMCS recommends the following protocols to protect yourself from infection:
- Never open emails or documents from unknown sources.
- Don’t open documents unless you know the sender and know the sender meant to send a file to you.
- Disable macros on your devices.
- If you open a file in protected view and cannot understand the document do not disable Protected View.
Protected view is enabled by default on Microsoft Word, but in case you want to ensure that you have the extra protection offered by Protected View, follow the instructions below to make sure Protected View is enabled:
- Click the File tab in the upper left corner.
- Select Options.
- Select Trust Center in the left pane.
- Click Trust Center Settings.
- Select Protected View.
- Check all three options under Protected View and Click Ok.
Zeroday attacks are relatively uncommon but pose a large threat because they are difficult to protect against. Antivirus programs can’t protect against threats that are undefined, so zerodays often meet no resistance from your computer. The best way to avoid being harmed by zeroday attacks is to implement good safety protocols and follow them regardless of whether a new threat has been identified.
If you are concerned that you may be infected or would like to plan to prevent infections in the future please give us a call at (818)957-5647. PMCS has decades of experience preventing infections and repairing the damage done by malware and viruses. We are here to help if you are concerned about this new threat.