Microsoft has rolled out a fix for the zero-day vulnerability in its Word productivity app that came to light a few days ago, when revealed by McAfee. When this document which is used in this attack are opened, they reach out to an external server and downloads an HTA (HTML Application) file that contains nasty VBScript executed.
The HTA file is then automatically executed, giving the hackers full code execution privileges on the affected device. This can help you block malware of this type in a multi-layered defense, for example, by stopping the initial booby-trapped word file, preventing the Dridex download, blocking the downloaded malware from running, and finding and killing off the Dridex malware in memory.
FireEye said it had previously notified Microsoft of the issue and was coordinating disclosure with the release of a patch, but issued its advisory after the problem was made public.
McAfee recommends not opening any files from untrusted sources, and utilizing Microsoft Office Protected View, until the patch is sent on Tuesday.
Lecturer arrested for 'pair of buttocks' slur against president
Nyanzi are yet another clear indicator that those who express critical views of the government can face its wrath", Burnett said. Nyanzi ramped up after Nyanzi criticised the policies of Education Minister and First Lady Janet Museveni on February 15.
Li said it had informed Microsoft Security Response Center of the attacks and vulnerability.
Worryingly, the vulnerability now remains active, but Microsoft has pledged the bug will be nixed when the monthly security update rolls out on April 11. "Once the vulnerability becomes known, a race begins for the developer, who must protect users".
The attack was capable of bypassing numerous mitigation systems built into Microsoft Office and Windows created to stop malicious files from executing.
"Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing", said Proofpoint, adding the scammers have targeted millions of people, mostly in Australian organizations.
In tests carried out by McAfee, Li said the attack can not bypass the Office Protected View. If the user opens the file, a Visual Basic script is run.
But FireEye believes these attacks only began after the McAfee blog post and likely reverse engineered the vulnerability from the blog post.