Last month, nosotros reported how hackers could leverage a built-in characteristic of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or retention corruption.
DDE protocol is 1 of the several methods that Microsoft uses to let 2 running applications to portion the same data.
The protocol is existence used yesteryear thousands of apps, including MS Excel, MS Word, Quattro Pro, in addition to Visual Basic for onetime information transfers in addition to for continuous exchanges for sending updates to 1 another.
Soon after the details of DDE assault went public, several reports emerged well-nigh diverse widespread assault campaigns abusing this technique inward the wild to target several organisations alongside malware.
Now, for the get-go time, this DDE assault technique has been constitute leveraging yesteryear an Advanced Persistent Threat (APT) hacking group—APT28, which is good known equally Fancy Bear in addition to is widely believed to live on backed yesteryear the Russian government.
Russian Hackers Using New York Terror Attack to Lure Victims
While analyzing a novel pike phishing campaign, safety researchers discovered that the Fancy Bear hackers bring been leveraging the DDE vulnerability since belatedly October, according to a recent written report published Tuesday yesteryear McAfee researchers.
The travail involved documents referencing the recent terrorist assault inward New York City inward an travail to fox victims into clicking on the malicious documents, which eventually infects their systems alongside malware.
Since DDE is a Microsoft's legitimate feature, most antivirus solutions don't flag whatever alarm or block the documents alongside DDE fields.
Therefore, anyone who clicks on the malicious attachment (with names similar SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her calculator without whatever restriction or detection.
Once opened, the document runs contacts a command-and-control server to install the get-go phase of the malware called Seduploader on victims' machines using PowerShell commands.
Seduploader therefore profiles prospective victims yesteryear pulling basic host information from the infected scheme to the hackers. If the scheme is of interest, the attackers later on install a to a greater extent than fully featured slice of spyware—X-Agent in addition to Sedreco.
"APT28 is a resourceful threat thespian that non merely capitalizes on recent events to fox potential victims into infections but tin likewise quickly contain novel exploitation techniques to growth its success," Mcafee researchers concluded.
"Given the publicity the Cy Con U.S travail received inward the press, it is possible APT28 actors moved away from using the VBA script employed inward yesteryear actions in addition to chose to contain the DDE technique to bypass network defenses."This is non get-go malware travail that has been spotted abusing the DDE assault technique.
Soon after the details of DDE assault technique went public, Cisco's Talos threat enquiry grouping uncovered an assault travail that was actively exploiting this assault technique to target several organisations alongside a fileless remote access trojan called DNSMessenger.
Late final month, researchers discovered a travail that spread Locky ransomware in addition to TrickBot banking trojan via Word documents that leveraged the DDE technique.
Another split upwardly malware spam travail discovered yesteryear safety researchers likewise constitute distributing Hancitor malware (also known equally Chanitor in addition to Tordal) using Microsoft Office DDE exploit.
Protection Against DDE Malware Attacks
Since Microsoft does non render whatever protection against such attacks, you lot tin easily preclude yourself from falling victim to whatever malicious document abusing the Microsoft's DDE characteristic yesteryear disabling it entirely.
If you lot usage Microsoft Word 2016 or Microsoft Excel 2016, larn to Options → Advanced, in addition to therefore withdraw the checkmark from "Update automatic links at open" which is listed nether the full general grouping on the page.
In MS Excel, you lot tin likewise reckon checking "Ignore other applications that usage Dynamic Data Exchange (DDE)."
Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the "update links" equally good equally "embedded files" functionality inward MS Office documents when run.
You tin uncovering Office documents abusing the DDE characteristic via a laid of YARA rules inward Office Open XML files published yesteryear the researchers at NVISO Labs.
However, the best agency to protect yourself from such malware attacks is ever to live on suspicious of uninvited documents sent via emails in addition to never click on links within those documents unless adequately verifying the source.
