There's a recent news on a sophisticated, targeted attack on some US Companies through a Hijacked Government Server using the above technique:
An Eastern European hacking group hijacked U.S. state government servers to dispense malware through phishing emails that were designed to appear like they had come from the Securities and Exchange Commission, according to
research by Cisco’s Talos team and an analysis by other cybersecurity experts familiar with the activity.
The technical findings connect a known advanced persistent threat (APT) group, codenamed FIN7 by U.S. cybersecurity firm FireEye, to a sophisticated intrusion technique that was detected in a recent wave of spoofed emails that mimicked the SEC’s domain. The messages carried malware-laden Microsoft Word documents mentioning financial disclosure information from the
EDGAR system.
FIN7 is believed to represent a eastern European criminal enterprise that speaks Russian and operates internationally.
Emails tied to
this campaign were “
highly targeted” and only sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology, said Craig Williams, a senior researcher with Talos.
The Technique:
In this case, the attackers were able to
heavily obfuscate their intrusions by using a multi-stage infection chain that exploited a Dynamic Data Exchange (DDE) process in Microsoft Word to perform remote code execution. Additionally, the hackers
used Domain Name System (DNS) commands to establish a stealthy connection back to a compromised state government server, which was configured to automatically download DNSMessenger malware onto breached computers.
“The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace,” a blogpost by Talos notes. “This attack shows the level of sophistication that is associated with threats facing organizations today … it is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”
Didier Stevens published a set of
YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks.
Currently,
most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
The discovery is important, explained Beaumont, because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place.
Cisco Talos Report
