Security Alert
Jonathan Crowe
Oct 2017

Malware Campaigns Already Using Microsoft Office DDE Exploit

Attackers behind Locky and Hancitor are actively abusing Microsoft's Dynamic Data Exchange (DDE) feature to infect victims with booby-trapped Office documents.

Key Details

  • Old attack technique, new notoriety: Attacks abusing DDE first surfaced in the 1990s, but the technique has been thrust back into the spotlight this month thanks in part to a detailed walk-through published by researchers at SensePost along with Microsoft's decision that DDE functionality is a feature, not a flaw, and will not be removed. 
  • What DDE does: It allows Office programs to load data from other Office programs. Attackers can abuse this functionality by using it to load instructions to launch a command prompt and run malicious code.
  • DDE attacks being actively utilized in widespread campaigns: Researchers have spotted DDE attacks being carried out by multiple attack groups this week, including spam email campaigns spreading Locky ransomware and the Hancitor downloader. 
  • What to do now: Update Office settings: Admins should roll out policies to disable the "update automatic links at open" option in Office programs, which should help prevent the attacks.
  • empty
  • empty
  • empty
  • empty

Stop worrying about malicious Microsoft Office docs. Barkly blocks attacks that use DDE, macros, OLE objects, or embedded scripts automatically.
See a demo

Last week, we published a blog post that explained how attackers can abuse Microsoft's Dynamic Data Exchange (DDE) feature to launch malware without tricking users into enabling macros. 

Well, things move quickly in the world of cybersecurity, and researchers have now spotted attackers already making use of the technique. 

Quick recap: How DDE attacks work

DDE is a protocol that allows Office programs to exchange data between one another (ex: DDE can be used to ensure a table in a Word doc gets automatically updated with data from an Excel file).

Unfortunately, attackers can abuse DDE to launch scripts and executables from the command line. All they have to do is create an Office doc with a DDE field inserted.

For a detailed walk-through, see this post from SensePost.  

On the bright side, even though this technique avoids the use of macros and the challenge of convincing a user to enable them, it does still require a user to click through two separate prompts. 


Active Necurs botnet campaigns delivering Locky using DDE attack

On Thursday, researcher @dvk01uk noticed that a new campaign of spam emails flooding out from the Necurs botnet were delivering Word document attachments utilizing the DDE technique.

The attachments were disguised as email invoices, and when opened, resulted in the two user prompts:

DDE-Attack-User-Prompt-1.pngUser prompt #1: This document contains fields that may refer to other files. Do you want to update the fields in this document?"

DDE-Attack-User-Prompt-2.pngUser prompt #2: The remote data (k powershell -NoP -sta -Nonl -w hidden) is not accessible. Do you want to start the application C:\Windows\System32\cmd.exe?

Clicking "yes" on both results in the launching of a PowerShell script that calls out and downloads the Locky payload from compromised websites.

Barkly, however, sees Word attempting to launch an external program and blocks the attack before it can even download the payload. 


Locky has made a big comeback over the last two months, with new campaigns repeatedly blasting out millions of emails via the Necurs botnet. 

The campaigns have been experimenting with a variety of email and attachment types, and the attackers behind Locky wasted no time adding this DDE technique to the rotation.

On Friday, a fresh round of spam emails also incorporated the attack technique, this time using attachments disguised as "Scanned image from MX-2600N" as bait.  

Hancitor campaign adopts the DDE technique, as well

The attackers behind Locky aren't the only criminals seeing the potential of the DDE technique. Researcher Brad Duncan spotted a campaign using DDE attacks to spread the downloader malware Hancitor on Monday, 10/16. 

The emails were disguised as notifications from DocuSign, and included a link to a Word document, which carried out the infection via the DDE technique. 


Fake DocuSign notice used in Hancitor campaign. Source: SANS


The DocuSign link leads a Word doc with a DDE field that attemps to launch PowerShell to download the Hancitor payload. Source: SANS 

All signs point to widespread adoption

The inclusion of DDE attacks in these mass spam campaigns is a sign that it's yet another stealthy technique that has migrated downstream from advanced attack groups into the hands of common criminals. 

The beauty of DDE attacks is in their simplicity. They're incredibly easy to use and because DDE is a legitimate feature, neither Windows defenses nor antivirus products flag it. 

While the campaigns utilizing the attacks now are leveraging them to download other executable file payloads (Locky, Hancitor, etc.), the real danger of this technique is the opportunity it provides attackers to carry out attacks that don't drop malware on the system in any traditional sense. 

Attackers can just as easily leverage the command line functionality provided by DDE fields to launch more damaging PowerShell scripts, or have PowerShell execute code directly in memory, turning the infection into a fileless attack that can gather information and wreak more havok while staying undetected. Without any malicious executables actually downloaded on the system, both traditional and machine-learning-powered next-gen AV solutions that rely on file scanning are useless.  

How Barkly blocks DDE attacks

Barkly automatically blocks this threat and others like it by preventing malicious behaviors (ex: an Office program attempting to launch an external program).

By analyzing behaviors, rather than simply analyzing static files, Barkly can prevent the misuse of any legitimate programs or tools (macros, PowerShell, etc.), which is a tactic more and more attacks are leveraging to get around AVs. 

Find out more about how Barkly can help you replace or augment your antivirus with stronger protection against today's modern threats. See a demo or get a quote.  

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


2017 Malware Trends in Review

How attacks are evolving and what to expect next.

Get my report


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.