Security researchers at Cisco's Talos threat inquiry grouping convey discovered 1 such assault displace spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or retentiveness corruption.
This Macro-less code execution inward MSWord technique, described inward special on Mon past times a duet of safety researchers from Sensepost, Etienne Stalmans as well as Saif El-Sherei, which leverages a built-in characteristic of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is 1 of the several methods that Microsoft allows 2 running applications to portion the same data. The protocol tin sack hold upward used past times applications for quondam information transfers as well as for continuous exchanges inward which apps ship updates to 1 about other every bit novel information becomes available.
Thousands of applications work the DDE protocol, including Microsoft's Excel, MS Word, Quattro Pro, as well as Visual Basic.
The exploitation technique that the researchers described displays no "security" warnings to victims, except shout out for them if they desire to execute the application specified inward the command—however, this popup alarm could also hold upward eliminated "with proper syntax modification," the researchers say.
MS Word DDE Attack Being Actively Exploited In the Wild
As described past times Cisco researchers, this technique was constitute actively beingness exploited inward the wild past times hackers to target several organisations using pike phishing emails, which were spoofed to brand them expect every bit if they're sent past times the Securities as well as Exchange Commission (SEC) as well as convince users into opening them.
"The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection procedure leading to infection amongst DNSMessenger malware," reads a blog post published past times Talos researchers.Earlier March, Talos researchers constitute attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to bear malicious PowerShell commands on compromised computers.
Once opened, victims would hold upward prompted amongst a message informing them that the document contains links to external files, shout out for them to allow or deny the content to hold upward retrieved as well as displayed.
"Interestingly, the DDEAUTO champaign used past times this malicious document retrieved code that the assaulter had initially hosted on a Louisiana terra firma authorities website, which was seemingly compromised as well as used for this purpose," the researchers say.
How to Protect Yourself And Detect MS Word DDE Attacks
What's to a greater extent than worrying? Microsoft doesn't consider this every bit a safety issue, rather according to the society the DDE protocol is a characteristic that tin sack non hold upward removed only could hold upward improved amongst improve warning alerts for users inward future.
Although there's no straight means to disable DDE code execution, users tin sack proactively monitor scheme resultant logs to banking concern gibe possible exploitation.
The best means to protect yourself from such malware attacks is ever to hold upward suspicious of whatsoever uninvited document sent via an e-mail as well as never click on links within those documents unless properly verifying the source.
