Recently Discovered Word Leak Is Used For Banking Trojan Spam Campaign

Security firm Proofpoint warns it has discovered an email campaign spreading malicious documents. The attackers use a vulnerability in Microsoft Word that was released by researchers this weekend.

Proofpoint reports that the malware is the well-known Dridex trojan, which focuses, among other things, on stealing login details for internet banking. The spam campaign targeted millions of users and focused on businesses in Australia. The researchers note that the people behind the campaign have reacted quickly, because the Word leak has not been known for long. Before this, many victims were infected with Dridex using Word macros.

The e-mails sent are provided with an attachment in the form of an RTF file. The email appears to come from a device within the recipient’s organization, such as a scanner or copier. The subject is therefore ‘scan data’ and the attachments are named ‘scan 12345’, where the numbers are random. Once the document is opened, the exploit will run. Proofpoint notes that this happened during testing, although a message popped up in Word 2010 warning that the file contains links to other files.

The Word vulnerability in question, which allows system hijacking, was recently exposed by researchers at security firm McAfee and later by FireEye. The vulnerability is serious because a successful exploit bypasses Windows security measures and does not require users to enable macros in Word. Users are therefore advised not to open unknown Word files. The method would not work with Protected View, which therefore presents a significant barrier if enabled.

F-Secure security researcher Mikko Hypponen goes assumes Microsoft will release a patch on Tuesday for the vulnerability, which is being used in conjunction with a Windows vulnerability. Microsoft itself has not yet released a statement about the vulnerability. The attack via Word documents works because the file contains an OLE2link object. After opening the file, Word retrieves a malicious hta file, which looks like an rtf file, via an http request. Word is then closed to hide the aforementioned warning and the victim is presented with a fake document.