An unpatched vulnerability in Microsoft Word is being exploited to forward Dridex malware to millions of unsuspecting users.

Researchers from security firm Proofpoint discovered the Dridex distribution campaign using documents emailed to millions of recipients, primarily in Australia.

This represents the first malware distribution campaign exploiting the newly discovered Microsoft Word zero-day vulnerability.

The vulnerability, first discovered by MacAfee, allows an attacker to bypass security measures in the program, and is linked to the Object Linking and Embedding function in Word. Targets are sent a Microsoft Word document that contains HTML application content executed as an .hta file, giving the attackers the ability to execute code on the targeted machine. This vulnerability is now being exploited by malicious agents to distribute Dridex malware.

Targeted individuals receive an email with an attached document, formatted as .RTF (Rich Text Format). The subject line of the email uses the phrase ‘Scan Data’, and the attached document is named ‘Scan_’ followed by a series of randomized numbers.

The researchers note that this scam is fairly convincing, even though it is simple and without the advanced social engineering traits that are becoming more common in malware distribution. For example, in the airline phishing attack discovered last month, the perpetrators completed extensive research on targets to make the lure more convincing, and managed to achieve an extremely high success rate.

The Dridex scam, while relatively unsophisticated, is spreading quickly. Targets who open the generically titled email and attached document initiate a series of actions that lead to the installation of the Dridex botnet 7500 on their system. This exploit has proven successful, even though targets are shown a dialog box noting that the document containing the malware contains “links that may refer to other files.”

The Microsoft Word zero-day vulnerability that is exploited by this campaign is expected to be patched soon; however, Proofpoint warns that due to the “widespread effectiveness and rapid weaponization of this exploit, it critical that users and organizations apply the patch as soon as it becomes available.”

Dridex malware was used in 2015 and 2016 in the distribution of Locky ransomware, and represented a popular choice among threat actors for personalized and targeted attacks. It reappeared in late March 2017 after a relatively quiet period in the first quarter of this year, possibly due to a disruption in the botnet that was used for distribution of the malware in previous years. An increase in Dridex activity, followed by this exploit of the MS Word vulnerability, suggests that threat actors using Dridex are returning to former activity levels.