APT28's latest Word doc attack eliminates needing to enable macros
APT28's latest Word doc attack eliminates needing to enable macros

The threat group APT28/Fancy Bear is now using a little used technique available in Microsoft Office that enables the cyber-gang to execute arbitrary code through a Word document, but without requiring macros to be enabled.

APT28 saw what it called the Microsoft Office Dynamic Data Exchange (DDE) technique used as an attack vector, wrote McAfee researchers Ryan Sherstobitoff and Michael Rea. The cyber-gang also introduced a new piece of bait labeling the Word document as containing information on the recent terror attack in New York City.

The DDE protocol is used by Microsoft to share information between applications, but it can also be abused to launch malware in Word, Excel or Outlook attachments without the need for macros to be enabled, according to a Sophos report. This effectively eliminates one step an attacker needs its victim to take as the payload is delivered when the doc is just opened.

The McAffee team came across several pieces of evidence tying these attacks to APT28, including the downloader and the command and control server domain, both of which can be tied to the group. The document it examined was:

  • Filename: IsisAttackInNewYork.docx
  • Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e
  • Creation date: 2017-10-27T22:23:00Z

“We have observed APT28 using Seduploader as a first-stage payload for several years from various public reporting. Based on structural code analysis of recent payloads observed in the campaign, we see they are identical to previous Seduploader samples employed by APT28, Rea and Sherstobitoff said, adding, “We identified the control server domain associated with this activity as webviewres[.]net, which is consistent with past APT28 domain registration techniques that spoof legitimate-sounding infrastructure.”

Seduploader is a recon package that ensures the target system is of interest to the attackers. If so the backdoors X-Agent or Sedreco are then installed and are then used to steal information like passwords, content or run code.

McAfee was not certain why APT28's adopted DDE as an attack method, but it postulated that it enables the group to more effectively bypass network defences compared to the usual VBA script methodology it utilises.