Russia-Linked "Fancy Bear" Hackers Latest to Use Microsoft Office DDE Exploit
APT28, also known as Fancy Bear, has been spotted abusing a feature in Microsoft Office that allows them to infect victims with Word docs without enabling macros.
This week, researchers at McAfee announced they have observed APT28, the hacking group responsible for last year's DNC hack, taking advantage of Microsoft's Dynamic Data Exchange (DDE) feature to launch a new series of attacks.
What makes the abuse of DDE so dangerous and so appealing to attackers is that it allows them to run malicious code on a victim's machine via Office documents — without having to trick victims into enabling macros.
Microsoft Office DDE attacks — a primer
We've covered the abuse of DDE in previous blog posts, first when researchers at SensePost published a detailed walkthrough of how DDE attacks work in October, and again when the attackers behind Locky ransomware were seen adopting the technique less than a week later.
In short, the beauty and danger of DDE attacks is in their simplicity. All attackers have to do is insert a custom field into a document with simple instructions to launch code to the command line.
The good news is that when a user opens a document with DDE fields they will receive a warning notifying them that the document contains links that may refer to other files. The user then has to confirm that they do want to update the document with data from the linked files to continue.
After selecting "Yes," under normal circumstances the user is presented with a second prompt explaining that there is an error and asking them to confirm they want to start cmd.exe.
What makes DDE especially problematic from a security perspective is that, like OLE and macros, Microsoft considers it a legitimate feature that attackers have unfortunately found a creative way of abusing. As far as Microsoft is concerned, DDE works as it should and users do get a warning. As such, the company hasno plans of issuing a patchthat would remove its functionality.
Barkly blocks attacks that use DDE, macros, OLE objects, or embedded scripts automatically.
How APT28 is using DDE attacks — and how Barkly blocks them
The recent campaign launched by Fancy Bear hackers used a Word document called "IsisAttackInNewYork.docx" as bait. When victims opened the document they were presented with the two prompts highlighted above.
By clicking "yes" the victims unknowingly allowed the document to invoke the command line and launch the following PowerShell script designed to download a first-stage malware called Seduploader:
According to McAfee researchers, Seduploader serves as a "first-stage reconnaissance implant," designed to gather system information to determine whether a victim is of interest and worth infecting with additional payloads.
As with any attack attempting to abuse DDE, Barkly blocks this attack by recognizing an Office program (in this case Word) is attempting to launch a malicious script. By blocking that behavior, Barkly stops the attack before any payload ever touches the system.
By analyzing system behaviors, rather than simply analyzing static files, Barkly can prevent the misuse of any legitimate programs or tools (macros, PowerShell, etc.), which is a tactic more and more attacks are leveraging to get around AVs.
Find out more about how Barkly can help you replace or augment your antivirus with stronger protection against today's modern threats.See a demoorget a quote.