Malware Campaigns Already Using Microsoft Office DDE Exploit
Attackers behind Locky and Hancitor are actively abusing Microsoft's Dynamic Data Exchange (DDE) feature to infect victims with booby-trapped Office documents.
Old attack technique, new notoriety: Attacks abusing DDE first surfaced in the 1990s, but the technique has been thrust back into the spotlight this month thanks in part to a detailed walk-through published by researchers at SensePost along with Microsoft's decision that DDE functionality is a feature, not a flaw, and will not be removed.
What DDE does: It allows Office programs to load data from other Office programs. Attackers can abuse this functionality by using it to load instructions to launch a command prompt and run malicious code.
DDE attacks being actively utilized in widespread campaigns: Researchers have spotted DDE attacks being carried out by multiple attack groups this week, including spam email campaigns spreading Locky ransomware and the Hancitor downloader.
The emails were disguised as notifications from DocuSign, and included a link to a Word document, which carried out the infection via the DDE technique.
Fake DocuSign notice used in Hancitor campaign.Source: SANS
The DocuSign link leads a Word doc with a DDE field that attemps to launch PowerShell to download the Hancitor payload. Source:SANS
All signs point to widespread adoption
The inclusion of DDE attacks in these mass spam campaigns is a sign that it's yet another stealthy technique that has migrated downstream from advanced attack groups into the hands of common criminals.
The beauty of DDE attacks is in their simplicity. They're incredibly easy to use and because DDE is a legitimate feature, neither Windows defenses nor antivirus products flag it.
While the campaigns utilizing the attacks now are leveraging them to download other executable file payloads (Locky, Hancitor, etc.), the real danger of this technique is the opportunity it provides attackers to carry out attacks that don't drop malware on the system in any traditional sense.
Attackers can just as easily leverage the command line functionality provided by DDE fields to launch more damaging PowerShell scripts, or have PowerShell execute code directly in memory, turning the infection into a fileless attack that can gather information and wreak more havok while staying undetected. Without any malicious executables actually downloaded on the system, both traditional and machine-learning-powered next-gen AV solutions that rely on file scanning are useless.
How Barkly blocks DDE attacks
Barkly automatically blocks this threat and others like it by preventing malicious behaviors (ex: an Office program attempting to launch an external program).
By analyzing behaviors, rather than simply analyzing static files, Barkly can prevent the misuse of any legitimate programs or tools (macros, PowerShell, etc.), which is a tactic more and more attacks are leveraging to get around AVs.
Find out more about how Barkly can help you replace or augment your antivirus with stronger protection against today's modern threats. See a demo or get a quote.