Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day

April 10, 2017
Proofpoint Staff

[Updated April 11, 2017, to reflect the release of a patch for CVE-2017-0199 and provide additional details on the function of the exploit document]

Overview

This weekend saw multiple reports of a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia.

This represents a significant level of agility and innovation for Dridex actors who have primarily relied on macro-laden documents attached to emails. While a focus on exploiting the human factor - that is, the tendency of people to click and inadvertently install malware on their devices in socially engineered attacks - remains a key trend in the current threat landscape, attackers are opportunists, making use of available tools to distribute malware efficiently and effectively. This is the first campaign we have observed that leverages the newly disclosed Microsoft zero-day.

Analysis

Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "<[device]@[recipient's domain]>". [device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits. Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.

A sample email is shown in Figure 1 below.

Figure 1: Sample email from Dridex campaign exploiting Microsoft Word zero-day

When recipients open the document, the exploit -- if successful -- is used to carry out a series of actions that lead to the installation of Dridex botnet ID 7500 on the user’s system. During our testing (for example on Office 2010) the vulnerable system was fully exploited despite the fact that users were presented a dialog about the document containing “links that may refer to other files” (user interaction was not required). The dialog is shown in Figure 2:

Figure 2: Dialog box that appears when users open the document on vulnerable systems

Many combinations of Microsoft Word and Windows support "Protected View" for documents downloaded from the internet or opened directly from the email. In these cases, the user needs to “Enable Editing” before the exploit runs. However, most users are accustomed to enabling editing.

Figure 3: Illustration of Protected View

Conclusion

Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit "the human factor," this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts.

Microsoft patched this exploit (CVE-2017-0199) on April 11, 2017. Because of the widespread effectiveness and rapid weaponization of this exploit, it is critical that users and organizations apply the patch as soon as possible.

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

23.95.23[.]219:443
63.141.250[.]167:443

IP address

Dridex Injects C&C

179.108.87[.]11:443

IP address

Dridex Worker C&C

185.44.105[.]92:443
64.79.205[.]100:4743
185.25.184[.]214:4743

IP address

Dridex Loader C&C

hxxp://btt5sxcx90[.]com/template.doc
hxxp://rottastics36w[.]net/template.doc
hxxp://btt5sxcx90[.]com/7500.exe

URL

Dridex Payload

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629

SHA256

Attachment

444d42f49971a88b798dfb8735ad14dc96285252bcb67a72d171dbdfe39ac2bd

SHA256

Attachment

7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c

SHA256

Attachment