Microsoft4 (1)
Microsoft4 (1)

With APT28 now using Microsoft's Dynamic Data Exchange (DDE)  as an attack point, the company has issued an official advisory concerning the practice, along with possible mitigation methods.

The advisory notes that attacks can take place via email and corrupt Word, Excel, Publisher and Outlook documents. An attack is conducted through email when an attacker sends the intended victim a specially crafted file with a name designed to entice the victim to open it. Unlike other attacks that use Word docs, with DDE the victims do not have to manually enable macros for the payload to download. Instead, infection happens automatically.

Microsoft offered several suggestions for stopping these attacks. For Word documents, the company says to not open suspicious email attachments or to manually create and set registry entries for Microsoft Office. The latter task should only be handled by someone familiar with the system because if Registry Editor is used incorrectly the operating system may have to be reinstalled.

An attack through Publisher would likely take place using a Word document, so the Word mitigation will solve this problem as well.

Excel documents require DDE to open, but this can be disabled by going to Set File->Options->Trust Center->Trust Center Settings…->External Content->Security settings for Workbook Links = Disable automatic update of Workbook Links, Microsoft said.

However, disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry, Microsoft noted.

Outlook can also be adjusted through the Registry Editor, but this will disable automatic updates for the DDE field OLE links. These updates will have to be completed manually.

DDE is a protocol used for interprocess communications, such as the transferring of data between applications. Earlier this year, researchers at SensePost determined that DDE could be essentially exploited to execute malicious code in Microsoft Word.

Microsoft Corporation reportedly chose not to act on the findings, calling this functionality an intentional feature. However, SensePost noted in a blog post that Microsoft said it would consider reclassifying the feature as a bug in the next version of Windows.

Later, in October, Cisco Talos reported that a spear phishing campaign impersonating the US Securities and Exchange Commission was discovered attempting to infect victims with DNSMessenger malware, using malicious Word attachments that abuse the DDE protocol. And another recently observed malspam campaign, which distributes Locky and Trickbot to victims depending on their geographic location, also exploits DDE.