This represents the first malware distribution campaign exploiting the newly discovered Microsoft Word zero-day vulnerability. Once opened, the exploit connects to a remote server and downloads a file containing a HTML application dressed up as a Microsoft document. FireEye also added that the vulnerability is bypassing most mitigations. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros.
"Although attacks relying on document exploits are increasingly uncommon, they certainly remain in attackers' toolkits".
It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend.
The company rolled out the fix as part of its regularly scheduled Patch Tuesday.
Once the damage is done, a fake Word document is shown to the user, but at that point it is too late-malware is already installed on the machine.
"We want to deal with this through an upgrade on Tuesday April 11, and customers that have upgrades empowered will be protected mechanically", said a Microsoft spokesman.
Proofpoint also urged Microsoft Word users to install the security updates quickly. "Once the vulnerability becomes known, a race begins for the developer, who must protect users". According to the company, the new zero-day exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10.
'Meanwhile we encourage customers to practise safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources to avoid this type of issue.
McAfee first disclosed the vulnerability and FireEye followed up the disclosure with a blog post stating it had been working with Microsoft to coordinate disclosure of the vulnerability.
Microsoft Office has a feature called "Protected View" that is enabled by default; however, you should double check your settings to make sure that this feature is turned on.