Microsoft Word, the widely popular text editor which is a significant part of the Office suite, had been plagued with a gruesome zero-day vulnerability until today. As part of its monthly Tuesday update patch cycle, the Redmond giant has patched the loophole which was being exploited to quietly install malware and extract banking information of Word users.
This vulnerability was identified by the researchers at McAfee, who disclosed the previously unpatched exploit to give Office users a heads-up. It was found that Microsoft Word had an existing zero-day vulnerability which was quite different from other document-related exploits that relied on macros. In such cases, users opening a macro-enabled document is warned about the risks attached to the same.
However, this zero-day exploit, which affected all versions of Office, worked differently than traditional Word-related vulnerabilities which involve the documents itself. It found that this vulnerability was triggered by opening the document but it was completely fake. This trick document when opened by the user was successful in baiting them and initiated the hacking procedure in the background.
It popped up an entirely fake document and initiated contact with a remote server to download malicious HTML files, which are also disguised to look similar to rich text documents. This HTML decoy file is executable and spreads malicious code on your PC, which is used to stealthily install malware. The attacker was then handed over the capability to remotely gain access to your affected computer while evading Microsoft’s memory-based security measures.
Talking about the same, McAfee wrote in its blog post:
The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim’s machine. Thus, this is a logical bug and gives the attackers the power to bypass any memory-based mitigations developed by Microsoft.
This vulnerability was made public on Friday, but cyber security firm Proofpoint found that the said zero-day vulnerability was being exploited in an email marketing campaign. The hackers involved in this massive campaign were targeting users’ banking information by distributing the Dridex Trojan malware. It was found that the campaign was sent to millions of users across various organizations, primarily in Australia.
Dridex, for those aloof, is a strain of banking malware that leverages macros in Microsoft Office to infect PCs. The primary aim of this malware is to steal banking and personal information to access your financial records. In an official blog post, Proofpoint detailed the procedure of the malicious attack stating that the attacker sent the message with the subject title ‘Scan Data’ and carried attachments, with names “Scan_xxxxxx.doc” or “Scan_xxxxxx.pdf“. It further added,
Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.
The vulnerability has now been patched as the Redmond giant has made good on its word. It has taken a mere four days to completely patch the exploit and seal the attackers out from their Office suite. At the time, Microsoft had issued the following statement:
We plan to address this through an update on Tuesday April 11, and customers who have updates enabled will be protected automatically. Meanwhile, we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue.
So, if you receive a shady email message asking you to download the document and open it immediately. Don’t even go near any such emails because you have been preemptively advised not to. Update your Microsoft Office suite to protect your privacy — personal info, such as your banking details, from being picked up by a scammer and sent to cyber-criminals. Else, we believe you can always practice safe computing habits online and be vigilant enough not to fall for any such foolish scams.
