Since
new forms of cybercrime are on the rise, traditional techniques seem to
be shifting towards more clandestine that involve the exploitation of
standard system tools and protocols, which are not always monitored.
Security
researchers at Cisco’s Talos threat research group have discovered one
such attack campaign spreading malware-equipped Microsoft Word documents
that perform code execution on the targeted device without requiring
Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described
in detail on Monday by a pair of security researchers from Sensepost,
Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature
of MS Office, called Dynamic Data Exchange (DDE), to perform code
execution.
Dynamic Data Exchange (DDE) protocol is one of the
several methods that Microsoft allows two running applications to share
the same data. The protocol can be used by applications for one-time
data transfers and for continuous exchanges in which apps send updates
to one another as new data becomes available.
Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic.
The
exploitation technique that the researchers described displays no
“security” warnings to victims, except asking them if they want to
execute the application specified in the command—however, this popup
alert could also be eliminated “with proper syntax modification,” the
researchers say.
The duo has also provided a proof-of-concept video demonstrating the technique.
Since
new forms of cybercrime are on the rise, traditional techniques seem to
be shifting towards more clandestine that involve the exploitation of
standard system tools and protocols, which are not always monitored.
Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.
Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.
The exploitation technique that the researchers described displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—however, this popup alert could also be eliminated “with proper syntax modification,” the researchers say.
MS Word DDE Attack Being Actively Exploited In the Wild
As
described by Cisco researchers, this technique was found actively being
exploited in the wild by hackers to target several organisations using
spear phishing emails, which were spoofed to make them look as if
they’re sent by the Securities and Exchange Commission (SEC) and
convince users into opening them.
“The
emails themselves contained a malicious attachment [MS Word] that when
opened would initiate a sophisticated multi-stage infection process
leading to infection with DNSMessenger malware,” reads a blog post published by Talos researchers.
Earlier March, Talos researchers found attackers distributing DNSMessenger—a
completely fileless remote access trojan (RAT) that uses DNS queries to
conduct malicious PowerShell commands on compromised computers.
Once opened, victims would be prompted with a message informing them
that the document contains links to external files, asking them to allow
or deny the content to be retrieved and displayed.
If
allowed, the malicious document will communicate to the attacker hosted
content in order to retrieve code that’ll be executed to initiate the
DNSMessenger malware infection.
“Interestingly,
the DDEAUTO field used by this malicious document retrieved code that
the attacker had initially hosted on a Louisiana state government
website, which was seemingly compromised and used for this purpose,” the
researchers say.
“The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware,” reads a blog post published by Talos researchers.Earlier March, Talos researchers found attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers.
“Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose,” the researchers say.
How to Protect Yourself And Detect MS Word DDE Attacks
What’s
more worrying? Microsoft doesn’t consider this as a security issue,
rather according to the company the DDE protocol is a feature that can
not be removed but could be improved with better warning alerts for
users in future.
Although there’s no direct way to disable DDE code execution, users can proactively monitor system event logs to check possible exploitation.
Besides this, the researchers at NVISO Labs have also shared two YARA rules to detect DDE vector in Office Open XML files.
The
best way to protect yourself from such malware attacks is always to be
suspicious of any uninvited document sent via an email and never click
on links inside those documents unless properly verifying the source.
Πηγή : thehackernews
Although there’s no direct way to disable DDE code execution, users can proactively monitor system event logs to check possible exploitation.
The best way to protect yourself from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless properly verifying the source.
No comments:
Post a Comment