For the past few years, we have been seeing macro-based attacks through Object Linking Embedding (OLE)/Microsoft Office files. But, presently, attackers are using a different technique to spread malware through Office files – using a new attack vector called ‘Dynamic Data Exchange (DDE)’.
DDE is an authorized Microsoft Office feature that provides several methods for transferring data between applications. Once the communication protocol is established, it doesn’t require user interactions to exchange data between applications. The DDE feature is not limited to Word and Excel document but it includes RTF and Outlook also.
This attack starts with a spam email with a malicious document file as an attachment as shown in fig 1.
Microsoft Word application i.e., ‘winword.exe’ opens this attachment and runs the DDE code. It throws a user prompt which says that this document contains some links which may refer to fetch data from other files. Fig 2 shows this prompt.
If the user selects Yes, another user prompt is displayed which shows the remote data execution information. And here, if the user selects Yes, the attack will succeed.
Fig 3 shows the information about the remote data (this may vary from case to case).
In either of these user prompts, if the user selects No, the attack will fail.
The malware with a DDE code executes ‘cmd.exe’ with PowerShell and other codes as a parameter. PowerShell will download the payload in the background and execute it silently. The payload may contain any of the types of malware. Fig 4 shows one of the types of DDE code.
To evade signature-based detections, malware authors use different obfuscation techniques including the following:
Obfuscation technique 1
Splits the DDE and PowerShell code in different tags.
Obfuscation technique 2
Encoded PowerShell code with base64.
Obfuscation technique 3
Encoded PowerShell code with an integer value of their respective character.
Decoded version of the code above:
The DDE based office malware attack technique is very simple for attackers. We suspect this trend will be picked up by malware authors in coming future.
Indicators of compromise:
Subject Matter Experts