{"id":85274,"date":"2017-12-06T14:57:30","date_gmt":"2017-12-06T09:27:30","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85274"},"modified":"2017-12-06T14:57:30","modified_gmt":"2017-12-06T09:27:30","slug":"emerging-trend-dde-based-office-malware-analysis-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/emerging-trend-dde-based-office-malware-analysis-quick-heal-security-labs\/","title":{"rendered":"An emerging trend of DDE based Office malware \u2013 an analysis by Quick Heal Security Labs"},"content":{"rendered":"

For the past few years,\u00a0we have been seeing macro-based attacks through\u00a0Object\u00a0Linking Embedding (OLE)\/Microsoft Office files. But, presently,\u00a0attackers are using\u00a0a\u00a0different technique to spread malware\u00a0through Office files\u00a0\u2013\u00a0using\u00a0a\u00a0new attack vector called \u2018Dynamic Data Exchange (DDE<\/a>)\u2019.<\/p>\n

DDE is an\u00a0authorized Microsoft Office feature\u00a0that\u00a0provides several methods for transferring data between\u00a0applications.\u00a0Once\u00a0the\u00a0communication protocol is established,\u00a0it doesn’t require\u00a0user interactions to exchange data between applications.\u00a0The\u00a0DDE feature is not limited to Word and Excel document but it includes RTF and Outlook also.<\/p>\n

Technical details<\/b>
\nThis attack starts with\u00a0a\u00a0spam email with\u00a0a\u00a0malicious document file as\u00a0an\u00a0attachment\u00a0as shown in fig 1.<\/p>\n

\"Fig
Fig 1. Spam email<\/figcaption><\/figure>\n

Microsoft Word<\/span><\/span>\u00a0application i.e.<\/span><\/span>,<\/span><\/span>\u00a0\u2018<\/span><\/span>winword.exe<\/span><\/span>\u2019<\/span><\/span>\u00a0opens this attachment<\/span><\/span>\u00a0and runs the DDE code. It\u00a0<\/span><\/span>throws a\u00a0<\/span><\/span>user<\/span><\/span>\u00a0<\/span><\/span>prompt which\u00a0<\/span><\/span>says\u00a0<\/span><\/span>that\u00a0<\/span><\/span>this document<\/span><\/span>\u00a0contains some links which\u00a0<\/span><\/span>may\u00a0<\/span><\/span>refer<\/span><\/span>\u00a0to fetch data from other files. Fig 2 shows\u00a0<\/span><\/span>this prompt.<\/span><\/span>\u00a0<\/span><\/p>\n

\"Fig
Fig 2: 1st user prompt<\/figcaption><\/figure>\n

If\u00a0the\u00a0user selects\u00a0Yes<\/b>,\u00a0<\/b>another\u00a0user prompt\u00a0is displayed\u00a0which shows the remote\u00a0data execution\u00a0information.\u00a0And here, if the\u00a0user selects\u00a0Yes<\/b>,\u00a0<\/b>the\u00a0attack will succeed.<\/p>\n

Fig 3 shows\u00a0the\u00a0information about\u00a0the\u00a0remote data (this\u00a0may vary\u00a0from case to case).<\/p>\n

\"Fig
Fig 3: 2nd user prompt<\/figcaption><\/figure>\n

In\u00a0either of these user prompts, if\u00a0the\u00a0user selects\u00a0No<\/b>,\u00a0<\/b>the\u00a0attack will fail.<\/p>\n

The malware\u00a0with\u00a0a\u00a0DDE code executes\u00a0\u2018cmd.exe\u2019\u00a0with\u00a0PowerShell and\u00a0other\u00a0codes\u00a0as a parameter. PowerShell will download\u00a0the\u00a0payload in\u00a0the\u00a0background and execute\u00a0it silently.\u00a0The payload may contain any of the types\u00a0of\u00a0malware.\u00a0Fig\u00a04 shows one of the types\u00a0of DDE code.<\/p>\n

\"Fig
Fig 4: DDE Code<\/figcaption><\/figure>\n

To evade signature-based detections, malware authors use\u00a0different obfuscation techniques\u00a0including\u00a0the following:<\/p>\n

Obfuscation technique 1<\/b><\/p>\n

Splits the DDE and PowerShell code in different tags.<\/p>\n

\"Fig
Fig 5 Splitting DDE code<\/figcaption><\/figure>\n

Obfuscation technique 2<\/b><\/p>\n

Encoded PowerShell code with base64.<\/p>\n

\"Fig
Fig 6. Base 64 encoding<\/figcaption><\/figure>\n

Obfuscation technique 3<\/b><\/p>\n

Encoded PowerShell code with\u00a0an\u00a0integer value of their respective character.<\/p>\n

\"Fig
Fig 7. Long string with Integer values<\/figcaption><\/figure>\n

Decoded\u00a0<\/span><\/span>version of the code above<\/span><\/span>:<\/span><\/span>\u00a0<\/span><\/p>\n

\"Fig
Fig 8. Decoded value string highlighted in Fig 7<\/figcaption><\/figure>\n

The DDE based office malware attack technique is very simple for attackers. We suspect this trend will be picked up by malware authors in coming future.<\/p>\n

Prevention\u00a0<\/b>m<\/b>easures<\/b><\/p>\n

    \n
  • Consider\u00a0disabling DDE\u00a0when\u00a0not\u00a0in\u00a0use.<\/li>\n<\/ul>\n
      \n
    • To disable the DDE feature via the user interface: Set File\u00a0->\u00a0Options\u00a0->\u00a0Trust Center\u00a0->\u00a0Trust Center Settings\u00a0->\u00a0External Content\u00a0->\u00a0Security settings for Workbook Links = Disable automatic update of Workbook Links.<\/li>\n<\/ul>\n
        \n
      • Do not download\/open attachments that arrive in emails from unwanted or unexpected sources.<\/li>\n
      • Apply all recommended security updates and patches\u00a0for\u00a0your Operating System.<\/li>\n<\/ul>\n

        Indicators of\u00a0<\/b>c<\/b>ompromise:<\/b><\/p>\n

        53c1d68242de77940a0011d7d108c098
        \n106776A1A0F1F15E17C06C23CBFE550E
        \n31362967C1BFE285DDC5C3AB27CDC62D<\/p>\n

        Subject Matter Experts<\/b><\/p>\n

          \n
        • Aniruddha\u00a0Dolas, Prashant\u00a0Tilekar| Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

          For the past few years,\u00a0we have been seeing macro-based attacks through\u00a0Object\u00a0Linking Embedding (OLE)\/Microsoft Office files. But, presently,\u00a0attackers are using\u00a0a\u00a0different technique to spread malware\u00a0through Office files\u00a0\u2013\u00a0using\u00a0a\u00a0new attack vector called \u2018Dynamic Data Exchange (DDE)\u2019. DDE is an\u00a0authorized Microsoft Office feature\u00a0that\u00a0provides several methods for transferring data between\u00a0applications.\u00a0Once\u00a0the\u00a0communication protocol is established,\u00a0it doesn’t require\u00a0user interactions to exchange data between applications.\u00a0The\u00a0DDE […]<\/p>\n","protected":false},"author":38,"featured_media":85284,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,1395],"tags":[1546,1173,1547,1548,1431,38],"class_list":["post-85274","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-vulnerability","tag-dde","tag-exploit","tag-ms-office","tag-obfuscation","tag-rtf","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85274"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/38"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=85274"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85274\/revisions"}],"predecessor-version":[{"id":85286,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/85274\/revisions\/85286"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/85284"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=85274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=85274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=85274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}