Security Alert Microsoft Office Attack Runs Malware Without Needing Macros

Solarquest

Moderator
MalwareTips Staff
AV-Tester
Joined
Jul 22, 2014
Messages
1,946
#1
Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.
This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

How the DDE attack works
....
 

Parsh

Level 24
Trusted
AV-Tester
Joined
Dec 27, 2016
Messages
1,326
OS
Windows 10
Antivirus
Default-Deny
#2
There's a recent news on a sophisticated, targeted attack on some US Companies through a Hijacked Government Server using the above technique:

An Eastern European hacking group hijacked U.S. state government servers to dispense malware through phishing emails that were designed to appear like they had come from the Securities and Exchange Commission
, according to research by Cisco’s Talos team and an analysis by other cybersecurity experts familiar with the activity.

The technical findings connect a known advanced persistent threat (APT) group, codenamed FIN7 by U.S. cybersecurity firm FireEye, to a sophisticated intrusion technique that was detected in a recent wave of spoofed emails that mimicked the SEC’s domain. The messages carried malware-laden Microsoft Word documents mentioning financial disclosure information from the EDGAR system. FIN7 is believed to represent a eastern European criminal enterprise that speaks Russian and operates internationally.
Emails tied to this campaign were “highly targeted” and only sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology, said Craig Williams, a senior researcher with Talos.

The Technique:
In this case, the attackers were able to heavily obfuscate their intrusions by using a multi-stage infection chain that exploited a Dynamic Data Exchange (DDE) process in Microsoft Word to perform remote code execution. Additionally, the hackers used Domain Name System (DNS) commands to establish a stealthy connection back to a compromised state government server, which was configured to automatically download DNSMessenger malware onto breached computers.

“The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace,” a blogpost by Talos notes. “This attack shows the level of sophistication that is associated with threats facing organizations today … it is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”
Didier Stevens published a set of YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks.
Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
The discovery is important, explained Beaumont, because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place.
Cisco Talos Report
 

Lockdown

From AppGuard
Developer
Joined
Oct 24, 2016
Messages
3,103
#4

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#9
Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D

Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
Note that they talk about the scanners, not the behavioral modules.

Any HIPS or BB that monitors MS Office should detect it.
 

Slyguy

Level 32
Joined
Jan 27, 2017
Messages
2,177
OS
Other OS
#10
I wouldn't use Office. It's by far the most targeted application. Scripts, Macros, whatever.. It's a very common vector. I'd certainly never put it on my home systems. Also, I'd strongly discourage using a common PDF viewer.. Adobe DC, heavily targeted. Find an uncommon, yet well programmed one, use it, then don't tell anyone about it. LOL Or use Sumatra, which is opensource.

Since I am slowly migrating most of my non-gaming systems to a secured Linux/debian distro or whatever. I like Okular a lot. I've given up Windows, except heavily locked down Default-Deny, lowered threat surface ones for gaming because there isn't much choice for gaming, right?
 

Umbra

Level 85
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,965
OS
Windows 10
Antivirus
Default-Deny
#11
Very easy to game with Windows: multi-boot your machine with a 2nd up-to-date Windows > install only games > add Shadow Defender (entering shadow mode at every boot) as only security apps, enjoy.
 

vemn

Level 6
AV-Tester
Joined
Feb 11, 2017
Messages
267
#15
Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D
Note that they talk about the scanners, not the behavioral modules.
Any HIPS or BB that monitors MS Office should detect it.
Yeah Agree, those vendors that have behavior monitoring or HIPS should have (or if you are seeing this, please add it) capabilities to monitor sub-process spinned up after winword.exe. OR, at least killing powershell/cscript/wscript for a start.