The Dridex Trojan is a strain of banking malware that began spreading in 20141. Its transport mechanism continues to be spam email, commonly referred to as malspam. It steals a victim's banking credentials in order to commit fraudulent financial transactions. Historically, Dridex relied on Microsoft Office macros to successfully infect a victim. A new campaign, however, reveals that it's now leveraging a Microsoft Word zero-day vulnerability (CVE-2017-0199) instead.
For the exploit to land, a user must open an attached Microsoft Word RTF (Rich Text Format) document. Contained within it is an embedded OLE2link object which executes winword.exe. That process sends a HTTP request to a remote server which retrieves a malicious .hta file, the payload2.
To enable detection of malicious RTF documents, users need to verify that their NetWitness installation has been configured with the:
-‘fingerprint_rtf_lua parser’ from RSA Live.
Once you have subscribed to and enabled this content in your environment, NetWitness will identify suspicious strings in the RTF header. Shown below is the parser flagging RTF traffic.
Thanks to Kevin Stear, Bill Motley, Angela Stranahan, and Christopher Ahearn for contributing to this threat advisory.