Microsoft Office Attack Runs Malware Without Needing Macros

itman · Oct 12, 2017

Malware authors don't necessarily need to trick users to enable macros to run malicious code. An alternative technique exists, one that takes advantage of another legitimate Office feature.

This feature is called Microsoft Dynamic Data Exchange (DDE) and allows an Office application to load data from other Office applications. For example, a Word file can update a table by pulling data from an Excel file every time the Word file is opened.

How the DDE attack works

Under the hood, DDE is nothing more than a custom field that users can insert into documents. These fields allow users to enter simple instructions with the location of where to pull data, and what data to inject into the new document.

The problem is that malware authors can create malicious Word files with DDE fields that instead of opening another Office app, open a command prompt and run malicious code.

Under normal circumstances, Office apps show two warnings. The first is a warning about the document containing links to other files, while the second is for an error about opening a remote command prompt.

According to two security researchers from SensePost, the second popup can be suppressed, limiting the warnings to only the first.

This greatly increases the DDE attack's usability. Users who work with DDE-linked files on a regular basis are predisposed to dismiss the popup, mostly by training, because they performed the action so many times before.

Microsoft: This is not a vulnerability

SensePost contacted Microsoft earlier in the year, but the company did not consider this a vulnerability, in the true sense of the word.

DDE attacks used in the wild by FIN7 group

Kevin Beaumont discovered the technique being used in live attacks by FIN7, a group of hackers specialized in hitting financial organizations [1, 2, 3]. Cisco Talos published a more detailed analysis of these attacks, carried out by the same group who previously developed the DNSMessenger malware.
Click to expand...

https://www.bleepingcomputer.com/ne...e-attack-runs-malware-without-needing-macros/

WildByDesign · Oct 12, 2017

Would applying the Child Process mitigation block this attack?

itman · Oct 13, 2017

WildByDesign said: ↑

Would applying the Child Process mitigation block this attack?
Click to expand...

It appears so. I assume most are by now monitoring the script engines, rundll32, command shell, etc.. startup from Word. I recently added csc.exe for the various .Net engines after I saw that was being used maliciously to compile a .Net executable on the fly.

itman · Oct 13, 2017

More info here: https://www.scmagazine.com/phishers...stribute-dnsmessenger-malware/article/699918/https://www.scmagazine.com/phishers...stribute-dnsmessenger-malware/article/699918/ . This SEC attack is Powershell based.

itman · Oct 13, 2017

Also noteworthy is Enigma reported this issue to Microsoft in April, 2017. As noted in the article, it is possible to bypass Word's "Protected View" mode with these attacks.

https://enigma0x3.net/2017/07/13/phishing-against-protected-view/

Mr.X · Oct 13, 2017

That's why I always run Office programs in Sandboxie, in a restricted sandbox.

itman · Oct 13, 2017

It is also not just Word that has been vulnerable to DDE attacks as noted by this Flash exploit last year:

ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks

In a report from Kaspersky Lab, researchers said the vulnerability is in Flash code that parses ExecPolicy metadata. ScarCruft’s exploit implements read/write operations at a particular address in memory that can allow for full remote code execution. Full details are explained in the Kaspersky Lab report published today.

The attack happens in stages starting with shellcode downloading and executing a malicious DLL that loads in Flash and also includes a technique designed to bypass antivirus detection using the Windows DDE component, or Dynamic Data Exchange, a protocol that facilitates data transfers between applications.

Kaspersky researchers said this part of the attack makes “clever” use of Windows DDE.

“The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed,” Kaspersky Lab said in its report. “This is an undocumented behavior in Microsoft Windows.”
Click to expand...

https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/

Rasheed187 · Oct 14, 2017

itman said: ↑

It appears so. I assume most are by now monitoring the script engines, rundll32, command shell, etc.. startup from Word. I recently added csc.exe for the various .Net engines after I saw that was being used maliciously to compile a .Net executable on the fly.
Click to expand...

Simply by blocking child process execution, you can stop this attack. SpyShelter also monitors DDE execution. For example, it will block VT Uploader from launching the browser via DDE.

Log in or Sign up

Microsoft Office Attack Runs Malware Without Needing Macros

itman Registered Member

WildByDesign Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

Mr.X Registered Member

itman Registered Member

Rasheed187 Registered Member

Log in or Sign up

Microsoft Office Attack Runs Malware Without Needing Macros

itman Registered Member

WildByDesign Registered Member

itman Registered Member

itman Registered Member

itman Registered Member

Mr.X Registered Member

itman Registered Member

Rasheed187 Registered Member

Useful Searches