Sample document spreading DOC file boobytrapped with unpatched Office 0-day
Sample document spreading DOC file boobytrapped with unpatched Office 0-day (via Proofpoint)

The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero-day to spread a version of their malware, the infamous Dridex banking trojan.

It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend.

Dridex campaign targeted Australian users

According to cyber-security firm Proofpoint, who discovered the Dridex spam campaign delivering Word documents weaponized with this zero-day, the spam wave consisting of millions of emails targeted mainly Australia.

The Dridex malware version delivered through these emails, which mimicked document scans, contained configurations to target a slew of Australian banks via the installation of Dridex botnet ID 7500, one of the many Dridex variants active today. Proofpoint reported activity from the Dridex botnet ID 7500 last week, yet a spokesperson has not confirmed if the group was using the zero-day at that time.

This campaign is the first time when we see the Dridex group using an unpatched zero-day for distributing their malware. Usually, the group relied on Word files laced with macro scripts.

Microsoft to patch zero-day today

While over the weekend Microsoft didn't respond to a request for comment, a Microsoft spokesperson said the company would try to fix the issue in today's planned Patch Tuesday. Also today, Microsoft will also release the next major Windows 10 version, called Creators Update.

The Office zero-day affects all Windows and Microsoft Office versions. The zero-day isn't exploited via macro scripts, but an embedded OLE object that executes automatically when the victim opens the file.

The only way to protect yourself, according to McAfee and FireEye, is to configure Office to use Protected View.

The advice of not opening files from the people you don't know is not really that helpful for employees working with scanned documents on a daily basis in a business environment, where they regularly have to open scanned documents and Word files from unknown (potential) business partners.