{"id":10729,"date":"2017-12-06T02:20:13","date_gmt":"2017-12-06T10:20:13","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4501\/"},"modified":"2017-12-06T02:20:13","modified_gmt":"2017-12-06T10:20:13","slug":"news-4501","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/12\/06\/news-4501\/","title":{"rendered":"An emerging trend of DDE based Office malware \u2013 an analysis by Quick Heal Security Labs"},"content":{"rendered":"<p><strong>Credit to Author: Aniruddha Dolas| Date: Wed, 06 Dec 2017 09:27:30 +0000<\/strong><\/p>\n<p>For the past few years,\u00a0we have been seeing macro-based attacks through\u00a0Object\u00a0Linking Embedding (OLE)\/Microsoft Office files. But, presently,\u00a0attackers are using\u00a0a\u00a0different technique to spread malware\u00a0through Office files\u00a0\u2013\u00a0using\u00a0a\u00a0new attack vector called \u2018Dynamic Data Exchange (DDE)\u2019. DDE is an\u00a0authorized Microsoft Office feature\u00a0that\u00a0provides several methods for transferring data between\u00a0applications.\u00a0Once\u00a0the\u00a0communication protocol is established,\u00a0it doesn&#8217;t require\u00a0user interactions to exchange data between applications.\u00a0The\u00a0DDE feature is not limited to Word and Excel document but it includes RTF and Outlook also. Technical details This attack starts with\u00a0a\u00a0spam email with\u00a0a\u00a0malicious document file as\u00a0an\u00a0attachment\u00a0as shown in fig 1. Fig 1. Spam email Microsoft Word\u00a0application i.e.,\u00a0\u2018winword.exe\u2019\u00a0opens this attachment\u00a0and runs the DDE code. It\u00a0throws a\u00a0user\u00a0prompt which\u00a0says\u00a0that\u00a0this document\u00a0contains some links which\u00a0may\u00a0refer\u00a0to fetch data from other files. Fig 2 shows\u00a0this prompt.\u00a0 Fig 2: 1st user prompt If\u00a0the\u00a0user selects\u00a0Yes,\u00a0another\u00a0user prompt\u00a0is displayed\u00a0which shows the remote\u00a0data execution\u00a0information.\u00a0And here, if the\u00a0user selects\u00a0Yes,\u00a0the\u00a0attack will succeed. Fig 3 shows\u00a0the\u00a0information about\u00a0the\u00a0remote data (this\u00a0may vary\u00a0from case to case). Fig 3: 2nd user prompt In\u00a0either of these user prompts, if\u00a0the\u00a0user selects\u00a0No,\u00a0the\u00a0attack will fail. The malware\u00a0with\u00a0a\u00a0DDE code executes\u00a0\u2018cmd.exe\u2019\u00a0with\u00a0PowerShell and\u00a0other\u00a0codes\u00a0as a parameter. PowerShell will download\u00a0the\u00a0payload in\u00a0the\u00a0background and execute\u00a0it silently.\u00a0The payload may contain any of the types\u00a0of\u00a0malware.\u00a0Fig\u00a04 shows one of the types\u00a0of DDE code. Fig 4: DDE Code To evade signature-based detections, malware authors use\u00a0different obfuscation techniques\u00a0including\u00a0the following: Obfuscation technique 1 Splits the DDE and PowerShell code in different tags. Fig 5 Splitting DDE code Obfuscation technique 2 Encoded PowerShell code with base64. Fig 6. Base 64 encoding Obfuscation technique 3 Encoded PowerShell code with\u00a0an\u00a0integer value of their respective character. Fig 7. Long string with Integer values Decoded\u00a0version of the code above:\u00a0 Fig 8. Decoded value string highlighted in Fig 7 The DDE based office malware attack technique is very simple for attackers. We suspect this trend will be picked up by malware authors in coming future. Prevention\u00a0measures Consider\u00a0disabling DDE\u00a0when\u00a0not\u00a0in\u00a0use. To disable the DDE feature via the user interface: Set File\u00a0-&gt;\u00a0Options\u00a0-&gt;\u00a0Trust Center\u00a0-&gt;\u00a0Trust Center Settings\u00a0-&gt;\u00a0External Content\u00a0-&gt;\u00a0Security settings for Workbook Links = Disable automatic update of Workbook Links. Do not download\/open attachments that arrive in emails from unwanted or unexpected sources. Apply all recommended security updates and patches\u00a0for\u00a0your Operating System. Indicators of\u00a0compromise: 53c1d68242de77940a0011d7d108c098 106776A1A0F1F15E17C06C23CBFE550E 31362967C1BFE285DDC5C3AB27CDC62D Subject Matter Experts Aniruddha\u00a0Dolas, Prashant\u00a0Tilekar| Quick Heal Security Labs The post An emerging trend of DDE based Office malware \u2013 an analysis by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.<br \/><a href=\"http:\/\/blogs.quickheal.com\/emerging-trend-dde-based-office-malware-analysis-quick-heal-security-labs\/\" target=\"bwo\" >http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Aniruddha Dolas| Date: Wed, 06 Dec 2017 09:27:30 +0000<\/strong><\/p>\n<p>For the past few years,\u00a0we have been seeing macro-based attacks through\u00a0Object\u00a0Linking Embedding (OLE)\/Microsoft Office files. But, presently,\u00a0attackers are using\u00a0a\u00a0different technique to spread malware\u00a0through Office files\u00a0\u2013\u00a0using\u00a0a\u00a0new attack vector called \u2018Dynamic Data Exchange (DDE)\u2019. DDE is an\u00a0authorized Microsoft Office feature\u00a0that\u00a0provides several methods for transferring data between\u00a0applications.\u00a0Once\u00a0the\u00a0communication protocol is established,\u00a0it doesn&#8217;t require\u00a0user interactions&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[15859,11638,3764,16855,12039,11993,10467],"class_list":["post-10729","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-dde","tag-exploit","tag-malware","tag-ms-office","tag-obfuscation","tag-rtf","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10729","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10729"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10729\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10729"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10729"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10729"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}