Security News Microsoft Office Attack Runs Malware Without Needing Macros

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.
This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

How the DDE attack works
....
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
There's a recent news on a sophisticated, targeted attack on some US Companies through a Hijacked Government Server using the above technique:

An Eastern European hacking group hijacked U.S. state government servers to dispense malware through phishing emails that were designed to appear like they had come from the Securities and Exchange Commission
, according to research by Cisco’s Talos team and an analysis by other cybersecurity experts familiar with the activity.

The technical findings connect a known advanced persistent threat (APT) group, codenamed FIN7 by U.S. cybersecurity firm FireEye, to a sophisticated intrusion technique that was detected in a recent wave of spoofed emails that mimicked the SEC’s domain. The messages carried malware-laden Microsoft Word documents mentioning financial disclosure information from the EDGAR system. FIN7 is believed to represent a eastern European criminal enterprise that speaks Russian and operates internationally.
Emails tied to this campaign were “highly targeted” and only sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology, said Craig Williams, a senior researcher with Talos.

The Technique:
In this case, the attackers were able to heavily obfuscate their intrusions by using a multi-stage infection chain that exploited a Dynamic Data Exchange (DDE) process in Microsoft Word to perform remote code execution. Additionally, the hackers used Domain Name System (DNS) commands to establish a stealthy connection back to a compromised state government server, which was configured to automatically download DNSMessenger malware onto breached computers.

“The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace,” a blogpost by Talos notes. “This attack shows the level of sophistication that is associated with threats facing organizations today … it is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”
Didier Stevens published a set of YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks.
Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
The discovery is important, explained Beaumont, because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place.
Cisco Talos Report
 

BoraMurdar

Community Manager
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Just...

keep-calm-and-think-before-you-click-20.png
 
D

Deleted member 178

Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D

Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
Note that they talk about the scanners, not the behavioral modules.

Any HIPS or BB that monitors MS Office should detect it.
 
F

ForgottenSeer 58943


I wouldn't use Office. It's by far the most targeted application. Scripts, Macros, whatever.. It's a very common vector. I'd certainly never put it on my home systems. Also, I'd strongly discourage using a common PDF viewer.. Adobe DC, heavily targeted. Find an uncommon, yet well programmed one, use it, then don't tell anyone about it. LOL Or use Sumatra, which is opensource.

Since I am slowly migrating most of my non-gaming systems to a secured Linux/debian distro or whatever. I like Okular a lot. I've given up Windows, except heavily locked down Default-Deny, lowered threat surface ones for gaming because there isn't much choice for gaming, right?
 

vemn

Level 6
Verified
Malware Hunter
Well-known
Feb 11, 2017
264
Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D
Note that they talk about the scanners, not the behavioral modules.
Any HIPS or BB that monitors MS Office should detect it.

Yeah Agree, those vendors that have behavior monitoring or HIPS should have (or if you are seeing this, please add it) capabilities to monitor sub-process spinned up after winword.exe. OR, at least killing powershell/cscript/wscript for a start.
 
  • Like
Reactions: Parsh and Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top