Inside the Dridex banking Trojan
This latest hack into Microsoft Office is called the ‘Dridex Banking Trojan’ in most reports. It takes advantage of a newly discovered security bug in Microsoft Office. Here’s the hard details that are often overlooked in many reports.
Microsoft has released patches to close the security breach but not before the hackers were able to spread the infection around the globe.
Happily, the normal ‘safe computing’ precautions should protect you.
Dridex can be triggered by Microsoft Word or WordPad (it comes with Windows) but uses a faulty Windows component to access your system. The fix needs updates to both Windows and Office.
Affected systems are:
Office for Windows: 2016, 2013, 2010 and 2007 (possibly earlier versions of Office, but MS no longer supports them).
Windows: 7 and Vista (Windows 8 and 10 are not listed by Microsoft as affected).
Windows Server: 2012, 2008 R2 and 2008.
Microsoft has now released patches to block this exploit.
In short: make sure your Windows and Office are up to date.
Go to Windows Update (Settings | Update & Security )
Or Control Panel | Windows Update in Windows 7 and before.
For Office 2013/Office 2016 (subscribers) go to
Dridex is really a problem with .RTF (Rich Text File) documents but it’s usually sent with the misleading .doc extension
The current attack comes in an email:
From: “copier@”, “documents@”, “noreply@”, “no-reply@”, or “scanner@”
The ‘from’ domain is the same as the recipient’s domain, so the email looks like it’s ‘in-house’. For example, an infected email to firstname.lastname@example.org will come from <something>@fredagg.com
Subject: Scan Data
Scan_<random number>.doc e.g. Scan_99999.doc
That’s just the current common attack. It’s very likely that the same Dridex exploit will be used in other emails with varying From, Subject and Attachment names.
Ideally, the anti-virus/spam checks at your mail host will detect these hacker emails and delete them before they reach your Inbox.
Viruses, trojans and hacks don’t have official names. They are given nicknames by anti-virus firms or investigators.
This one is called ‘Dridex Banking Trojan’ by most people … except Microsoft.
Microsoft names the underlying security bug in their software, in this case:
“Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API”
There is a “Common Vulnerabilities and Exposures” list http://www.cve.mitre.org which allocates a standard reference to each exploit – this one is CVE-2017-0199 but that page is essentially blank because Microsoft is slow to update their CVE entries.
Office Watch has the latest news and tips about Microsoft Office. Delivered once a week.