Security News Microsoft Office Attack Runs Malware Without Needing Macros

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
1
23,394
3,488
Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.
This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

DDE is an old feature, which Microsoft has superseded via the newer Object Linking and Embedding (OLE) toolkit, but DDE is still supported by Office applications.

How the DDE attack works
....
 
  • Like
Reactions: shukla44, vemn, Der.Reisende and 18 others
There's a recent news on a sophisticated, targeted attack on some US Companies through a Hijacked Government Server using the above technique:

An Eastern European hacking group hijacked U.S. state government servers to dispense malware through phishing emails that were designed to appear like they had come from the Securities and Exchange Commission, according to research by Cisco’s Talos team and an analysis by other cybersecurity experts familiar with the activity.

The technical findings connect a known advanced persistent threat (APT) group, codenamed FIN7 by U.S. cybersecurity firm FireEye, to a sophisticated intrusion technique that was detected in a recent wave of spoofed emails that mimicked the SEC’s domain. The messages carried malware-laden Microsoft Word documents mentioning financial disclosure information from the EDGAR system. FIN7 is believed to represent a eastern European criminal enterprise that speaks Russian and operates internationally.
Emails tied to this campaign were “highly targeted” and only sent to a small, select group of U.S. businesses in several different industry sectors, including finance, insurance and information technology, said Craig Williams, a senior researcher with Talos.

The Technique:
In this case, the attackers were able to heavily obfuscate their intrusions by using a multi-stage infection chain that exploited a Dynamic Data Exchange (DDE) process in Microsoft Word to perform remote code execution. Additionally, the hackers used Domain Name System (DNS) commands to establish a stealthy connection back to a compromised state government server, which was configured to automatically download DNSMessenger malware onto breached computers.

“The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace,” a blogpost by Talos notes. “This attack shows the level of sophistication that is associated with threats facing organizations today … it is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”
Click to expand...
Didier Stevens published a set of YARA rules that fellow malware hunters could use to identify Office documents making use of DDE attacks.
Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
The discovery is important, explained Beaumont, because this style of cyberattack would be highly effective even against companies or government agencies with significant cybersecurity protections already in place.
Cisco Talos Report
 
  • Like
Reactions: shukla44, vemn, Der.Reisende and 15 others
Just...

keep-calm-and-think-before-you-click-20.png
 
  • Like
Reactions: shukla44, vemn, Der.Reisende and 9 others
Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D

Parsh said:
Currently, most antivirus vendors do not flag Office documents with DDE fields as suspicious or malicious.
Click to expand...
Note that they talk about the scanners, not the behavioral modules.

Any HIPS or BB that monitors MS Office should detect it.
 
  • Like
Reactions: shukla44, vemn, Parsh and 7 others
frogboy said:
Luckily for me I just use Download LibreOffice | LibreOffice - Free Office Suite - Fun Project - Fantastic People it is free and suits all my needs. :)
Click to expand...

I wouldn't use Office. It's by far the most targeted application. Scripts, Macros, whatever.. It's a very common vector. I'd certainly never put it on my home systems. Also, I'd strongly discourage using a common PDF viewer.. Adobe DC, heavily targeted. Find an uncommon, yet well programmed one, use it, then don't tell anyone about it. LOL Or use Sumatra, which is opensource.

Since I am slowly migrating most of my non-gaming systems to a secured Linux/debian distro or whatever. I like Okular a lot. I've given up Windows, except heavily locked down Default-Deny, lowered threat surface ones for gaming because there isn't much choice for gaming, right?
 
  • Like
Reactions: shukla44, vemn, Parsh and 5 others
Umbra said:
Latest implementation of the technique is an encrypted script that turn to be an Empire Powershell RAT downloaded from Amazon :D
Note that they talk about the scanners, not the behavioral modules.
Any HIPS or BB that monitors MS Office should detect it.
Click to expand...

Yeah Agree, those vendors that have behavior monitoring or HIPS should have (or if you are seeing this, please add it) capabilities to monitor sub-process spinned up after winword.exe. OR, at least killing powershell/cscript/wscript for a start.
 
  • Like
Reactions: Parsh and Andy Ful
You must log in or register to reply here.

You may also like...