Skip to content

Inside the Dridex banking Trojan

This latest hack into Microsoft Office is called the ‘Dridex Banking Trojan’ in most reports.  It takes advantage of a newly discovered security bug in Microsoft Office.  Here’s the hard details that are often overlooked in many reports.

Microsoft has released patches to close the security breach but not before the hackers were able to spread the infection around the globe.

Happily, the normal ‘safe computing’ precautions should protect you.

Affected Software

Dridex can be triggered by Microsoft Word or WordPad (it comes with Windows) but uses a faulty Windows component to access your system. The fix needs updates to both Windows and Office.

Affected systems are:

Office for Windows:  2016, 2013, 2010 and 2007  (possibly earlier versions of Office, but MS no longer supports them).

Windows:  7 and Vista (Windows 8 and 10 are not listed by Microsoft as affected).

Windows Server: 2012, 2008 R2 and 2008.

Patches

Microsoft has now released patches to block this exploit.

In short: make sure your Windows and Office are up to date.

Go to Windows Update (Settings | Update & Security )

Or Control Panel | Windows Update in Windows 7 and before.

For Office 2013/Office 2016 (subscribers) go to

Hacked Emails

Dridex is really a problem with .RTF (Rich Text File) documents but it’s usually sent with the misleading .doc extension

The current attack comes in an email:

From:  “copier@”, “documents@”, “noreply@”, “no-reply@”, or “scanner@”

The ‘from’ domain is the same as the recipient’s domain, so the email looks like it’s ‘in-house’.  For example, an infected email to [email protected] will come from <something>@fredagg.com

Subject:  Scan Data

Attachment:

Scan_<random number>.doc   e.g.  Scan_99999.doc

That’s just the current common attack.  It’s very likely that the same Dridex exploit will be used in other emails with varying From, Subject and Attachment names.

Ideally, the anti-virus/spam checks at your mail host will detect these hacker emails and delete them before they reach your Inbox.

Naming

Viruses, trojans and hacks don’t have official names.  They are given nicknames by anti-virus firms or investigators.

This one is called ‘Dridex Banking Trojan’ by most people … except Microsoft.

Microsoft names the underlying security bug in their software, in this case:

“Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API”

There is a “Common Vulnerabilities and Exposures” list http://www.cve.mitre.org which allocates a standard reference to each exploit – this one is CVE-2017-0199 but that page is essentially blank because Microsoft is slow to update their CVE entries.

About this author

Office-Watch.com

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.