Spotlight on a Sweeping Zero-Day Attack
We regularly monitor for spikes of malicious activity within our analysis results that we can relate to new malware campaigns. One such spike occurred on April 11, when we saw a significant increase in malicious PDF files in every region of the world.
I wanted to highlight that day because it’s a good illustration of how quickly bad actors can create malware that targets a newly discovered vulnerability. Using the traffic volume of one of our Technology Alliance Partners as an example, you can see the significant increase in malicious files (top graph) and a corresponding increase in PDF files (lower graph).
Zero Day Attack
The malicious PDFs contained a zero-day threat attempting to harvest online banking credentials (and other PII) via the Dridex Trojan. Dridex (also known as Cridex and Bugat) is a derivative of the father-of-all-Trojans, Zeus.
The author of this malware was targeting a new zero-day vulnerability affecting Microsoft Office products that came to light earlier this month. The exploit targets a vulnerability in Windows Object Linking and Embedding (OLE) and can succeed on all versions of Microsoft Office, including Office 2016 running on the latest Windows 10 OS (considered by many to be the most secure version of the Windows OS family).
Leveraging the executable name redchip2, the Global Threat Intelligence Network provides us a Threat Profile for the attack. Below, a screenshot of this Threat Profile (from Lastline Enterprise) shows the attack stages in the bottom half of the screen. It shows the progression from connecting to the attacker’s server to exploiting the vulnerability to downloading and installing the Trojan:
Fortunately, Microsoft issued a patch on April 11 (the same day this campaign launched). Unfortunately, although Microsoft has issued a patch, attackers know that it can take months for organizations to deploy new patches.
What You Can Do About Malicious Documents
Here are a few suggestions for reducing the risk from malicious attachments:
- If you haven’t already installed the latest updates from Microsoft across your network, you should add them to your next patch cycle.
- Remind your users for the 4,762nd time not to:
- Take candy from strangers or open emails from senders they don’t recognize.
- Override security controls (like enabling macros) in attachments sent via email.
- Deploy Lastline Enterprise to detect advanced and zero-day threats like this in email, web, and network traffic (what, you thought this post was going to be commercial-free?).
You can’t eliminate the risk of malware penetrating your network, but you can significantly reduce it by regularly deploying critical patches and reminding your users of safe email practices. “An ounce of prevention is worth a pound of cure”, as that famous kite-flyer and all-around smart guy Benjamin Franklin once said.