Microsoft closes Word leak that was at the basis of spam campaign with banking Trojan

Microsoft released a fix on Tuesday that closes a serious vulnerability in Word. An email campaign discovered Monday took advantage of this vulnerability, distributing the banking trojan Dridex.

Microsoft has closed the Word leak with a fix, which is part of the regular monthly security update that came out on Tuesday. ZDNet reports that. Microsoft has confirmed that this vulnerability makes it possible to install malware on a system with the latest security updates. Attackers could take control of the system, Microsoft said, installing new programs and creating new accounts with full user privileges.

On Monday, security firm Proofpoint warned that it had discovered the email campaign. The attackers use a leak in Microsoft Word, which was revealed by researchers last weekend. The malware concerns the Dridex trojan, which focuses, among other things, on stealing login details for internet banking.

The spam campaign targeted millions of users and focused on businesses in Australia. The researchers note that the people behind the campaign reacted quickly, because the Word leak has not been known for long. Before this, many victims were infected with Dridex using Word macros.

The e-mails sent are provided with an attachment in the form of an RTF file. The email appears to come from a device within the recipient’s organization, such as a scanner or copier. The subject is therefore ‘scan data’ and the attachments are named ‘scan 12345’, where the numbers are random. Once the document is opened, the exploit will run. Proofpoint notes that this happened during testing, although a message popped up in Word 2010 warning that the file contains links to other files.

The Word vulnerability in question, which allows system hijacking, was recently exposed by researchers at security firm McAfee and later by FireEye. The vulnerability is serious because a successful exploit bypasses Windows security measures and does not require users to enable macros in Word. Users are therefore advised not to open unknown Word files. The method would not work with Protected View, which therefore presents a significant barrier if enabled.

The attack via Word documents works because the file contains an OLE2link object. After opening the file, Word retrieves a malicious hta file, which looks like an rtf file, via an http request. Word is then closed to hide the aforementioned warning and the victim is presented with a fake document.