urlscan.io logo urlscan.io
SecurityTrails logo

www.proofpoint.com Open in urlscan Pro
2a02:e980:e6::cf  Public Scan

Back to summary
URL: https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day
Submission: On December 20 via api from BY — Scanned from US

Form analysis 3 forms found in the DOM

<form class="header-nav__search-form">
  <input type="text" class="header-nav__search-input" placeholder="">
  <input type="submit" class="header-nav__search-button" val="Search">
</form>

<form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
  class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
  style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
  <style type="text/css"></style>
  <div class="mktoFormRow">
    <div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
      <div class="mktoOffset" style="width: 5px;"></div>
      <div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
          <div class="mktoAsterix">*</div>Business Email:
        </label>
        <div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
          class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
        <div class="mktoClear"></div>
      </div>
      <div class="mktoClear"></div>
    </div>
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
    <div class="mktoClear"></div>
  </div>
  <div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
    value="19277" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
    value="https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions-recipients-unpatched-microsoft-zero-day"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="404894910.1734704493">
</form>

<form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
  class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
  style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>

Text Content

___

Skip to main content
English (Americas)
Search
Login
 * Platform
 * Products
 * Solutions

Proofpoint
Contact

Search

 * Platform
 * Products
 * Solutions
 * Partners
 * Resources
 * Company

Search
Login
English (Americas)
Platform
Products
Solutions
Partners
Resources
Company
Protect People
Multi-layered, adaptive defenses for threat detection, impersonation, and
supplier risk.
Email Security
Impersonation Protection
More products
Defend Data
Transform your information protection with a human-centric, omni-channel
approach.
Enterprise DLP
Adaptive Email DLP
Insider Threat Management
Intelligent Compliance
Mitigate Human Risk
Unlock full user risk visibility and drive behavior change.
Security Awareness
Augment Your Capabilities
Managed Services
Product Packages

More Protect People Products
Account Take-Over and Identity Protection
Secure vulnerable identities, stop lateral movement and privilege escalation.
Adaptive Email Security
Stop more threats with a fully integrated layer of behavioral AI.
Secure Email Relay
Secure your application email and accelerate DMARC implementation
Solutions by Use Case
How Proofpoint protects your people and data.
Authenticate Your Email
Protect your email deliverability with DMARC.
Combat Email and Cloud Threats
Protect your people from email and cloud threats with an intelligent and
holistic approach.
More use cases
Solutions by Industry
People-centric solutions for your organization.
Federal Government
Cybersecurity for federal government agencies.
State and Local Government
Protecting the public sector, and the public from cyber threats.
More industries
Comparing Proofpoint
Evaluating cybersecurity vendors? Check out our side-by-side comparisons.
View comparisons


SOLUTIONS BY USE CASE

How Proofpoint protects your people and data.
Change User Behavior
Help your employees identify, resist and report attacks before the damage is
done.
Combat Data Loss and Insider Risk
Prevent data loss via negligent, compromised and malicious insiders.
Modernize Compliance and Archiving
Manage risk and data retention needs with a modern compliance and archiving
solution.
Protect Cloud Apps
Keep your people and their cloud apps secure by eliminating threats and data
loss.
Prevent Loss from Ransomware
Learn about this growing threat and stop attacks by securing ransomware's top
vector: email.
Secure Microsoft 365
Implement the best security and compliance solution for Microsoft 365.


SOLUTIONS BY INDUSTRY

People-centric solutions for your organization.
Higher Education
A higher level of security for higher education.
Financial Services
Eliminate threats, build trust and foster growth for your organization.
Healthcare
Protect clinicians, patient data, and your intellectual property against
advanced threats.
Mobile Operators
Make your messaging environment a secure environment.
Internet Service Providers
Cloudmark email protection.
Small and Medium Businesses
Big-time security for small business.


PROOFPOINT VS. THE COMPETITION

Side-by-side comparisons.
Proofpoint vs. Abnormal Security
Proofpoint vs. Mimecast
Proofpoint vs. Cisco
Proofpoint vs Microsoft
Proofpoint vs. Microsoft Purview
Proofpoint vs. Legacy DLP


PARTNERS

Deliver Proofpoint solutions to your customers.
Become a Partner

Archive Extraction Partners
Learn about Extraction Partners.
GSI Partners
Learn about our global consulting.
Technology and Alliance Partners
Learn about our relationships.
Social Media Protection Partners
Learn about the technology and....
Portal Login


RESOURCES

Find reports, webinars, blogs, events, podcasts and more.
Resource Library

Blog
Keep up with the latest news and happenings.
Webinars
Browse our webinar library to learn about the latest threats, trends and issues
in cybersecurity.
Cybersecurity Academy
Earn your certification to become a Proofpoint Certified Guardian.
Podcasts
Learn about the human side of cybersecurity.
New Perimeters Magazine
Get the latest cybersecurity insights in your hands.
Threat Glossary
Learn about the latest security threats.
Events
Connect with us at events to learn how to protect your people and data from
ever-evolving threats.
Customer Stories
Read how our customers solve their most pressing cybersecurity challenges.


COMPANY

Proofpoint protects organizations' greatest assets and biggest risks: their
people.
About Proofpoint

Why Proofpoint
Learn about our unique people-centric approach to protection.
Careers
Stand out and make a difference at one of the world's leading cybersecurity
companies.
News Center
Read the latest press releases, news stories and media highlights about
Proofpoint.
Privacy and Trust
Learn about how we handle data and make commitments to privacy and other
regulations.
Environmental, Social, and Governance
Learn how we apply our principles to positively impact our community.
Support
Access the full range of Proofpoint support services.


PLATFORM

Discover the Proofpoint human-centric platform.
Learn More

Nexus
Detection technologies to protect people and defend data.
Zen
Protect and engage users wherever they work.
Search Proofpoint
Try searching for
Email Security Phishing DLP Email Fraud
Select Product Login
 * Support Log-in
 * Proofpoint Cybersecurity Academy
 * Digital Risk Portal
 * Email Fraud Defense
 * ET Intelligence
 * Proofpoint Essentials
 * Sendmail Support Log-in

Select Language
 * English (Americas)
 * English (Europe, Middle East, Africa)
 * English (Asia-Pacific)
 * Español
 * Deutsch
 * Français
 * Italiano
 * Português
 * 日本語
 * 한국어

Blog
Threat Insight
Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft
Zero-Day


DRIDEX CAMPAIGNS HITTING MILLIONS OF RECIPIENTS USING UNPATCHED MICROSOFT
ZERO-DAY

Share with your network!

April 10, 2017 Proofpoint Staff

[Updated April 11, 2017, to reflect the release of a patch for CVE-2017-0199 and
provide additional details on the function of the exploit document]

Overview

This weekend saw multiple reports of a new zero-day vulnerability that affected
all versions of Microsoft Word. Today, Proofpoint researchers observed the
document exploit being used in a large email campaign distributing the Dridex
banking Trojan. This campaign was sent to millions of recipients across numerous
organizations primarily in Australia.

This represents a significant level of agility and innovation for Dridex actors
who have primarily relied on macro-laden documents attached to emails. While a
focus on exploiting the human factor - that is, the tendency of people to click
and inadvertently install malware on their devices in socially engineered
attacks - remains a key trend in the current threat landscape, attackers are
opportunists, making use of available tools to distribute malware efficiently
and effectively. This is the first campaign we have observed that leverages the
newly disclosed Microsoft zero-day.

Analysis

Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format)
document. Messages purported to be from "<[device]@[recipient's domain]>".
[device] may be "copier", "documents", "noreply", "no-reply", or "scanner". The
subject line in all cases read "Scan Data" and included attachments named
"Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random
digits. Note that while this campaign does not rely on sophisticated social
engineering, the spoofed email domains and common practice of emailing digitized
versions of documents make the lures fairly convincing.

A sample email is shown in Figure 1 below.



Figure 1: Sample email from Dridex campaign exploiting Microsoft Word zero-day

When recipients open the document, the exploit -- if successful -- is used to
carry out a series of actions that lead to the installation of Dridex botnet ID
7500 on the user’s system. During our testing (for example on Office 2010) the
vulnerable system was fully exploited despite the fact that users were presented
a dialog about the document containing “links that may refer to other files”
(user interaction was not required). The dialog is shown in Figure 2:



Figure 2: Dialog box that appears when users open the document on vulnerable
systems

Many combinations of Microsoft Word and Windows support "Protected View" for
documents downloaded from the internet or opened directly from the email. In
these cases, the user needs to “Enable Editing” before the exploit runs.
However, most users are accustomed to enabling editing.



Figure 3: Illustration of Protected View

Conclusion

Although document exploits are being used less frequently in the wild, with
threat actors favoring social engineering, macros, and other elements that
exploit "the human factor," this campaign is a good reminder that actors will
shift tactics as necessary to capitalize on new opportunities to increase the
effectiveness of their efforts.

Microsoft patched this exploit (CVE-2017-0199) on April 11, 2017. Because of the
widespread effectiveness and rapid weaponization of this exploit, it is critical
that users and organizations apply the patch as soon as possible.

Indicators of Compromise (IOCs)

IOC

IOC Type

Description

23.95.23[.]219:443
63.141.250[.]167:443

IP address

Dridex Injects C&C

179.108.87[.]11:443

IP address

Dridex Worker C&C

185.44.105[.]92:443
64.79.205[.]100:4743
185.25.184[.]214:4743

IP address

Dridex Loader C&C

hxxp://btt5sxcx90[.]com/template.doc
hxxp://rottastics36w[.]net/template.doc
hxxp://btt5sxcx90[.]com/7500.exe

URL

Dridex Payload

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629

SHA256

Attachment

444d42f49971a88b798dfb8735ad14dc96285252bcb67a72d171dbdfe39ac2bd

SHA256

Attachment

7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c

SHA256

Attachment

Previous Blog Post
Next Blog Post


SUBSCRIBE TO THE PROOFPOINT BLOG

*
Business Email:




















Submit
Products
 * Protect People
 * Defend Data
 * Mitigate Human Risk
 * Premium Services

Get Support
 * Product Support Login
 * Support Services
 * IP Address Blocked?

Connect with Us
 * +1-408-517-4710
 * Attend an Event
 * Contact Us
 * Free Demo Request

More
 * About Proofpoint
 * Why Proofpoint
 * Careers
 * Leadership Team
 * News Center
 * Privacy and Trust

© 2024. All rights reserved.
Terms and conditions Privacy Policy Sitemap
 * 
 * 
 * 
 * 
 *