Spotlight on a Sweeping Zero-Day Attack

Spotlight on a Sweeping Zero-Day Attack

We regularly monitor for spikes of malicious activity within our analysis results that we can relate to new malware campaigns. One such spike occurred on April 11, when we saw a significant increase in malicious PDF files in every region of the world.

I wanted to highlight that day because it’s a good illustration of how quickly bad actors can create malware that targets a newly discovered vulnerability. Using the traffic volume of one of our Technology Alliance Partners as an example, you can see the significant increase in malicious files (top graph) and a corresponding increase in PDF files (lower graph).

zero-day attack PDF

Zero Day Attack

The malicious PDFs contained a zero-day threat attempting to harvest online banking credentials (and other PII) via the Dridex Trojan. Dridex (also known as Cridex and Bugat) is a derivative of the father-of-all-Trojans, Zeus.

The author of this malware was targeting a new zero-day vulnerability affecting Microsoft Office products that came to light earlier this month. The exploit targets a vulnerability in Windows Object Linking and Embedding (OLE) and can succeed on all versions of Microsoft Office, including Office 2016 running on the latest Windows 10 OS (considered by many to be the most secure version of the Windows OS family).

There were many variations of the new threat in circulation last week. The version that hit our technology Alliance Partner’s network is a PDF attachment containing a two-stage malware dropper that ultimately installs an executable named redchip2.exe. The PDF contains JavaScript and an embedded Word document. The JavaScript execution first drops the document and opens it, which triggers the exploit to download and execute the redchip2 file and install the Dridex Trojan.

Leveraging the executable name redchip2, the Global Threat Intelligence Network provides us a Threat Profile for the attack. Below, a screenshot of this Threat Profile (from Lastline Enterprise) shows the attack stages in the bottom half of the screen. It shows the progression from connecting to the attacker’s server to exploiting the vulnerability to downloading and installing the Trojan:

Lastline Enterprise Attack Stages Zoom

Fortunately, Microsoft issued a patch on April 11 (the same day this campaign launched). Unfortunately, although Microsoft has issued a patch, attackers know that it can take months for organizations to deploy new patches.

What You Can Do About Malicious Documents

Here are a few suggestions for reducing the risk from malicious attachments:

  1. If you haven’t already installed the latest updates from Microsoft across your network, you should add them to your next patch cycle.
  2. Remind your users for the 4,762nd time not to:
    1. Take candy from strangers or open emails from senders they don’t recognize.
    2. Override security controls (like enabling macros) in attachments sent via email.
  3. Deploy Lastline Enterprise to detect advanced and zero-day threats like this in email, web, and network traffic (what, you thought this post was going to be commercial-free?).

You can’t eliminate the risk of malware penetrating your network, but you can significantly reduce it by regularly deploying critical patches and reminding your users of safe email practices. “An ounce of prevention is worth a pound of cure”, as that famous kite-flyer and all-around smart guy Benjamin Franklin once said.

Patrick Bedwell

Patrick Bedwell

Patrick Bedwell has been creating and executing product marketing strategies for network security products for almost 20 years. He earned his BA from Cal Berkeley, and his MBA from Santa Clara University.
Patrick Bedwell