Malware News Locky Uses DDE Attack for Distribution

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,114
While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.

Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.

The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.

Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.

The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.

Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Necurs-Based DDE Attacks Now Spreading Locky Ransomware
....

Attacks using DDE are also likely to bypass antimalware and intrusion prevention scanners given that it’s likely a whitelisted feature.

“Apparently, DDE and macros are both legitimate features in Microsoft Office. Both have been used in malware attacks. In both cases, Office documents from malicious spam provide warnings to let a victim know what’s going on. To fix the issue, you’d have to remove the DDE entirely,” Duncan said. “If DDE is a functionality, then yes, I agree with Microsoft’s statement that it won’t be patched. However, many articles about DDE state it’s been superseded by OLE functionality. If so, why doesn’t Microsoft get rid of DDE entirely? Are there any legitimate DDE cases that require Microsoft to retain this backwards compatibility?”
....
....

“The best option I’ve found so far to disable DDE? For each office Application, under the Options menu, go to Advanced Options –> General, then make sure the “Update automatic links at open” box is un-checked,” Duncan said. “I found that prevents Word documents with DDE attacks from working. But in online forums, some people indicate this change doesn’t necessarily stay, and ‘Update automatic links at open’ may get re-checked again on its own.”



Antivirus scan for 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126 at 2017-10-21 10:25:02 UTC - VirusTotal

Antivirus scan for ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2 at 2017-10-21 10:26:27 UTC - VirusTotal

Antivirus scan for d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4 at 2017-10-21 15:10:01 UTC - VirusTotal

Antivirus scan for 4c054127056fb400acbab7825aa2754942121e6c49b0f82ae20e65422abdee4f at 2017-10-21 10:34:07 UTC - VirusTotal
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top