Practical attacks using 0-day vulnerabilities in Microsoft Word

There is new information about the recently patched vulnerability in Microsoft Word , which is used in practical social engineering attacks on Internet users. Researchers from Proofpoint have observed the use of an exploit in a large spammer campaign spreading the Dridex Trojan . Messages have been sent to many organizations around the world, but according to statistics, Australians are the most besieged spam nation. This is also the first campaign in which the use of the newly disclosed 0-day vulnerability in the MS Office package has been noticed.


The infection using the 0-day exploit begins in a traditional way, still effective - through "scam".

In the event that the victim opens the attached document, a dialog box will appear asking you to start the attached files.

Microsoft Word supports the so-called "protected view" for documents downloaded from the Internet or opened directly from the e-mail. In such cases, you must "enable editing" before running the exploit. This is the problem - most users get used to this function, which will result in the execution of malicious code: download and installation of one of the Dridex Trojan variants - "Dridex botnet ID 7500".


Information about enabling content in the "protected view".

Microsoft has released the vulnerability update CVE-2017-0199 on April 11, 2017. Due to the high efficiency of social engineering, it is important for users and organizations to implement an automatic update through Windows Update as soon as possible.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.