Malware News Locky Uses DDE Attack for Distribution

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.

Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.

The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.

Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.

The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.

Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.
Click to expand...
 
  • Like
Reactions: Weebarra, LASER_oneXM, XhenEd and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Necurs-Based DDE Attacks Now Spreading Locky Ransomware
....

Attacks using DDE are also likely to bypass antimalware and intrusion prevention scanners given that it’s likely a whitelisted feature.

“Apparently, DDE and macros are both legitimate features in Microsoft Office. Both have been used in malware attacks. In both cases, Office documents from malicious spam provide warnings to let a victim know what’s going on. To fix the issue, you’d have to remove the DDE entirely,” Duncan said. “If DDE is a functionality, then yes, I agree with Microsoft’s statement that it won’t be patched. However, many articles about DDE state it’s been superseded by OLE functionality. If so, why doesn’t Microsoft get rid of DDE entirely? Are there any legitimate DDE cases that require Microsoft to retain this backwards compatibility?”
....
....

“The best option I’ve found so far to disable DDE? For each office Application, under the Options menu, go to Advanced Options –> General, then make sure the “Update automatic links at open” box is un-checked,” Duncan said. “I found that prevents Word documents with DDE attacks from working. But in online forums, some people indicate this change doesn’t necessarily stay, and ‘Update automatic links at open’ may get re-checked again on its own.”



Antivirus scan for 3fa85101873d1c3447594c309ea1e324beb578843e1fab7c05189830d2def126 at 2017-10-21 10:25:02 UTC - VirusTotal

Antivirus scan for ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2 at 2017-10-21 10:26:27 UTC - VirusTotal

Antivirus scan for d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4 at 2017-10-21 15:10:01 UTC - VirusTotal

Antivirus scan for 4c054127056fb400acbab7825aa2754942121e6c49b0f82ae20e65422abdee4f at 2017-10-21 10:34:07 UTC - VirusTotal
 
Last edited:
  • Like
Reactions: harlan4096, Weebarra, silversurfer and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Emotet malware now distributed in Microsoft OneNote files to evade defenses
Replies
15
Views
1,239
News Archive
ForgottenSeer 98186
F
Brownie2019
On Sale! Microsoft Office 2021 Professional Plus €29.99 EUR
Replies
0
Views
190
Discounts and Deals
Brownie2019
Brownie2019
silversurfer
    • Like
    • +Reputation
    • Wow
Malware News New Banking Trojan CHAVECLOAK Targets Brazilian Users via Phishing Tactics
Replies
0
Views
704
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top