Last calendar week we reported how hackers could leveraging an onetime Microsoft Office characteristic called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or retention corruption.
DDE protocol is i of the several methods that Microsoft uses to permit 2 running applications to part the same data.
The protocol is beingness used past times thousands of apps, including MS Excel, MS Word, Quattro Pro, in addition to Visual Basic for one-time information transfers in addition to for continuous exchanges for sending updates to i another.
The DDE exploitation technique displays no "security" warnings to victims, except quest them if they desire to execute the application specified inward the command—although this popup alarm could besides hold out eliminated "with proper syntax modification."
Soon later the details of DDE assault technique went public, Cisco's Talos threat question grouping published a written report virtually an assault elbow grease actively exploiting this assault technique inward the wild to target several organisations amongst a fileless remote access trojan (RAT) called DNSMessenger.
Necurs Botnet Using DDE Attack to Spread Locky Ransomware
Now, hackers get got been works life using the Necurs Botnet—malware that currently controls over half dozen 1000000 infected computers worldwide in addition to sends millions of emails—to distribute Locky ransomware in addition to TrickBot banking trojan using Word documents that leverage the newly discovered DDE assault technique, reported SANS ISC.
Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, exactly straightaway they get got updated the Nercus Botnet to deliver malware via the DDE exploit in addition to hit an mightiness to get got screenshots of the desktops of victims.
"What’s interesting virtually this novel moving ridge is that the downloader straightaway contains novel functionality to get together telemetry from victims," Symantec said inward a blog post.
"It tin get got enshroud grabs in addition to shipping them dorsum to a remote server. There’s besides an error-reporting capability that volition shipping dorsum details of whatsoever errors that the downloader encounters when it tries to acquit out its activities."
Hancitor Malware Using DDE Attack
Another split malware spam elbow grease discovered past times safety researchers has besides been works life distributing Hancitor malware (also known equally Chanitor in addition to Tordal) using Microsoft Office DDE exploit.
Hancitor is a downloader that installs malicious payloads similar Banking Trojans, information theft malware in addition to Ransomware on infected machines in addition to is normally delivered equally a macro-enabled MS Office document inward phishing emails.
How to Protect Yourself From Word DDE Attacks?
Since DDE is a Microsoft's legitimate feature, most antivirus solutions create non flag whatsoever warning or block MS Office documents amongst DDE fields, neither the tech companionship has whatsoever plans of issuing a spell that would take its functionality.
So, you lot tin protect yourself in addition to your organisation from such attacks past times disabling the "update automatic links at open" selection inward the MS Office programs.
To create so, Open Word → Select File → Options → Advanced in addition to scroll downwards to General in addition to and then uncheck "Update Automatic links at Open."
However, the best means to protect yourself from such attacks is ever to hold out suspicious of whatsoever uninvited document sent via an e-mail in addition to never click on links within those documents unless adequately verifying the source.
