Security Alert Microsoft Office Attack Runs Malware Without Needing Macros

Discussion in 'Security News' started by Solarquest, Oct 12, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,698
    13,142
    Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.
    This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

    DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

    How the DDE attack works
    ....
     
    shukla44, vemn, Der.Reisende and 18 others like this.
  2. Parsh

    Parsh Level 24
    Trusted AV Tester

    Dec 27, 2016
    1,325
    11,866
    Consultant at Oracle
    7 Islands of Bombay
    Windows 10
    Default-Deny
    There's a recent news on a sophisticated, targeted attack on some US Companies through a Hijacked Government Server using the above technique:

    An Eastern European hacking group hijacked U.S. state government servers to dispense malware through phishing emails that were designed to appear like they had come from the Securities and Exchange Commission
    , according to research by Cisco’s Talos team and an analysis by other cybersecurity experts familiar with the activity.

    The technical findings connect a known advanced persistent threat (APT) group, codenamed FIN7 by U.S. cybersecurity firm FireEye, to a sophisticated intrusion technique that was detected in a recent wave of spoofed emails that mimicked the SEC’s domain. The messages carried malware-laden Microsoft Word documents mentioning financial disclosure information from the EDGAR system. FIN7 is believed to represent a eastern European criminal enterprise that speaks Russian and operates internationally.
    Emails tied to this campaign were “highly targeted” and only sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology, said Craig Williams, a senior researcher with Talos.

    Didier Stevens published a set of YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks.
    Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
    The discovery is important, explained Beaumont, because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place.
    Cisco Talos Report
     
    shukla44, vemn, Der.Reisende and 15 others like this.
  3. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,129
    62,639
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
  4. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,270
    9,739
    AppGuard LLC Virginia, U.S.
    shukla44, vemn, Der.Reisende and 9 others like this.
  5. Parsh

    Parsh Level 24
    Trusted AV Tester

    Dec 27, 2016
    1,325
    11,866
    Consultant at Oracle
    7 Islands of Bombay
    Windows 10
    Default-Deny
    Never tried SpyShelter. Will it monitor for that at default settings/mode or some tweaking is needed?
     
    shukla44, vemn, Der.Reisende and 4 others like this.
  6. Lockdown

    Lockdown From AppGuard
    Developer

    Oct 24, 2016
    2,270
    9,739
    AppGuard LLC Virginia, U.S.
    "Ask User" security setting.
     
    shukla44, vemn, Der.Reisende and 5 others like this.
  7. BoraMurdar

    BoraMurdar Super Moderator
    Staff Member

    Aug 30, 2012
    5,716
    21,708
    Doctor of medicine
    Serbia
    Windows 7
    Emsisoft
    Just...
    [​IMG]
    [​IMG]
     
    shukla44, vemn, Der.Reisende and 10 others like this.
  8. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,698
    13,142
  9. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    16,644
    26,530
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D

    Note that they talk about the scanners, not the behavioral modules.

    Any HIPS or BB that monitors MS Office should detect it.
     
    shukla44, vemn, Parsh and 7 others like this.
  10. Slyguy

    Slyguy Level 13

    Jan 27, 2017
    626
    1,983
    IT Security Engineer
    USA
    Linux
    I wouldn't use Office. It's by far the most targeted application. Scripts, Macros, whatever.. It's a very common vector. I'd certainly never put it on my home systems. Also, I'd strongly discourage using a common PDF viewer.. Adobe DC, heavily targeted. Find an uncommon, yet well programmed one, use it, then don't tell anyone about it. LOL Or use Sumatra, which is opensource.

    Since I am slowly migrating most of my non-gaming systems to a secured Linux/debian distro or whatever. I like Okular a lot. I've given up Windows, except heavily locked down Default-Deny, lowered threat surface ones for gaming because there isn't much choice for gaming, right?
     
    shukla44, vemn, Parsh and 5 others like this.
  11. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    16,644
    26,530
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    Very easy to game with Windows: multi-boot your machine with a 2nd up-to-date Windows > install only games > add Shadow Defender (entering shadow mode at every boot) as only security apps, enjoy.
     
    shukla44, vemn, Der.Reisende and 6 others like this.
  12. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,698
    13,142
    We will test it soon in the HUB.:)
     
    shukla44, vemn, Parsh and 5 others like this.
  13. _CyberGhosT_

    _CyberGhosT_ Level 51
    Trusted

    Aug 2, 2015
    4,029
    26,378
    Retired
    Central US
    Linux Mint
    Default-Deny
    Thanks brother, look forward to it ;)
     
    Solarquest, shukla44, vemn and 3 others like this.
  14. vemn

    vemn Level 5

    Feb 11, 2017
    215
    910
    IT SYSADMIN
    Singapore
    Yeah Agree, those vendors that have behavior monitoring or HIPS should have (or if you are seeing this, please add it) capabilities to monitor sub-process spinned up after winword.exe. OR, at least killing powershell/cscript/wscript for a start.
     
    Parsh and Andy Ful like this.
  15. gorblimey

    gorblimey Level 1

    Aug 30, 2017
    49
    120
    Eastern Indian Ocean
    Windows 7
    Zemana
    Lotus SmartSuite. Pre-Symphony and much, much more useful. If you can source a CD, I'm sure IBM will accept your license fee o_O You should make sure it's the MIllennium Edition :cool:
     
    vemn and Andy Ful like this.
Loading...
Similar Threads Forum Date
Malware Alert Widespread Ransomware Attack Targets Microsoft Office 365 Users News Archive Jun 28, 2016
Microsoft warns for new malware attacks with Office documents News Archive Jan 5, 2015
Q&A How secure are Microsoft Office password protected documents ? General Security Discussions Sep 22, 2017