Office DDE feature used by hackers in new targeted phishing campaign

News by Rene Millman

Security researchers have warned that a new phishing campaign is using the DDE feature in Microsoft Office to deliver DNSMessenger malware undetected.

Security researchers have warned that a new phishing campaign is using the DDE (Dynamic Data Exchange) feature in Microsoft Office to deliver DNSMessenger malware.

According to a blog post by PhishLabs, these DDE attacks take advantage of a protocol that is provided by Microsoft as a feature that allows data to be transferred between applications. The attack has been shown to be effective in Microsoft Word, Excel, and even Outlook via calendar invites.

The attack works by accessing another application if it is already running, or starting an application if it is not already running, to retrieve the data to be updated. In the attack scenario, there is no update data, but rather, the attacker is seeking to execute a malicious command or application. 

It these attacks were first noticed when an email was submitted for analysis by one of its clients. It used one of these DDE documents to execute PowerShell commands which set the stage for execution of further malicious code.

“The email lure in this incident was spoofed to appear as if it had been sent from a vendor that is used by the victim company,” said Joshua Shilko, manager, Digital Forensics and Incident Response within PhishLabs Research.

“The email body consisted of a simple message: “Please review the new [redacted company name] security policies.” This was accompanied by an email signature which mimicked a real employee of the spoofed company, and of course, an attached document. The attachment was aptly named “Security_Policy_2017.docx.””

When the document is opened, several user prompts are displayed. Upon opening the document, the victim is presented with a prompt stating, “This document contains fields that may refer to other files. Do you want to update the fields in this document?” The user is unlikely to have opened they file if they were not interested in what the content might be so many users will click “Yes.”

When the user clicks yes, the malware then shows a prompt to fool the user into opening what they think is Microsoft Word. In fact, the malware is running a PowerShell script.

“The script downloaded from the compromised site contains an additional gzip-compressed and base64-encoded PowerShell script within the $data object,” said Shilko.

The script then checks to see if the user is running any analysis techniques. “Several functions are defined which are used to calculate the cursor location and the speed at which the cursor is moving. If it is determined that the cursor is moving faster than the predefined threshold, the script will exit,” said Shilko.

The malware also checks the resolution of the system it is running on. Shilko said the malware stops if the resolution is less than 800 x 600. “Modern systems are unlikely to have a lower resolution and such a low resolution may be indicative of a sandbox environment.”

Should the script find that the system is not running any analyses or sandboxes, another PowerShell script is retrieved and run. This script retrieves e A and TXT DNS resource records associated with the domain using NSlookup.

Shilko said the attacker is able to place whatever PowerShell payload they wish in the TXT records and have it executed in memory on the infected device.

“TXT records are designed to hold arbitrary data and virtually anything can be stored in them. Since the script is also persistent, they could update the next stage payload at any time, until the responsible organisations deactivate the domains. The fact that there is no hosted content associated with these domains means it can be difficult to detect the malicious activity that is being perpetrated by abusing TXT resources records,” said Shilko.

PhishLabs said that code artefacts suggest that the actor behind this attack was also responsible for a campaign last month which was distributed via emails spoofing the Securities and Exchange Commission Electronic Data Gathering, Analysis, and Retrieval system.

Shilko said that the incident is a vivid illustration of the fact that businesses are being targeted by sophisticated attackers who are quick to adopt new tactics, techniques, and procedures.

“DDE attacks are an increasingly popular way to target Enterprise end users via the very same document file types that they use every day. DNSMessenger is a sophisticated, fileless attack mechanism which utilises a wide range of persistence mechanisms and covertly downloads malicious scripts through a unique mechanism,” he said.

“Both of these attack mechanisms are continuing to evolve through the addition of new techniques to thwart detection and analysis.”

Dr Simon Wiseman, CTO, Deep Secure, told SC Media  UK that the DDE attack here is the same as the DDEAUTO attack, just it's being triggered by a “refresh” of the document. “CTR defeated both without knowing about them, because these features are discarded as they don't carry useful information and can't be made safe,” he said.

“Don't bother trying to “detect” the threat in the first place. In fact, this type of attack illustrates the problem of trying to protect yourself by detecting bad things in documents or sandboxing (isolating) documents to see how they behave. Detection and isolation are flawed paradigms that time and again have demonstrably failed to defend organisations from the latest zero-day attacks,” he added.

Wieland Alge, general manager of EMEA at Barracuda Networks , told SC Media UK that the best technology to use on more sophisticated attacks that may get through legacy security systems is machine learning and Artificial intelligence (AI).

“This technology identifies certain system behaviour as malicious rather than using specific signatures and establishes a baseline of normal behaviour. Any unusual or out of character behaviour is flagged immediately, which can help to pinpoint either malicious outsiders who have got into your system or an insider whose behaviour has changed. A machine learning platform can stop spearphishing and impersonation attacks in real time which effectively means that worrying about user behaviour becomes a thing of the past,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews