Dangerous Trojan Steals Banking Credentials


Security Alerts and Recommendations from EnCirca


Today’s Quick-Read

Threat – Malware delivered via email

Target – Online banking credentials

Target Application – Microsoft Word

Best fix – Apply the patch from Microsoft

A new zero day flaw has been discovered in the wild that exploits unpatched Microsoft Word applications (even on a fully patched computer) and is being used to spread the Dridex banking Trojan. Dridex is currently one of the most dangerous banking Trojans on the Internet that exhibits the typical behavior of monitoring traffic to bank sites by infiltrating your computer and stealing your online banking credentials and financial data.


According to researchers, this attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Microsoft Word exploits seen in the wild, it does not require you to have Macros enabled. This attack works on all Windows operating systems, even against Windows 10.


How it works


The attack utilizes OLE2link object(s) (Windows Object Linking and Embedding) that are attached to a simple email. Upon opening the email, the malicious code executes and makes a connection to a remote server controlled by the attacker, where it then downloads a malicious HTML application file (HTA) that’s disguised as a document created in Microsoft’s RTF (Rich Text Format). The HTA file then automatically executes giving the attacker full code execution capabilities on your machine, and downloading additional payloads from other well known malware families in order to take over your computer, then closing the compromised Word file. In the time it takes you to open and close the Word file, the malware has already been installed in the background on your system.


How to protect yourself


  • Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until you have installed the patch from Microsoft.

  • Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.

  • Always keep your system and antivirus up-to-date.

  • Regularly backup your files in an external hard-drive.

  • Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.

  • Always beware of phishing emails, spams, and clicking the malicious attachment.

  • Apply the patch from Microsoft that was released on 4/11/2017


Resources: Hacker News  DRIDEX – By Symantec


Ensight security alerts and recommendations is a free service of EnCirca, the most secure domain name Registrar. Comments or questions may be directed to Ensight@encirca.com