Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no one's surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents.
In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs), ransomware, and backdoors.
In this blog, we will share a detailed technical analysis of a few of these exploitations and their payloads.
The Microsoft Dynamic Data Exchange (DDE) protocol allows data to be transferred between applications. These applications can use DDE for one-time data transfers or for continuous exchanges; for example, a Microsoft Word document that uses data from an Excel spreadsheet is updated automatically through DDE as the spreadsheet data is updated. The DDE protocol sends messages between applications that share data and uses shared memory to exchange data between the applications.
Microsoft Word documents have been used before to spread malware, but in those cases the victim would have to manually enable macros for the payload to be downloaded onto the victim’s system. With the DDE vulnerability (feature) in Microsoft Word, attackers can embed a malicious script that can download and execute malware without the use of macros.
Case I: DDE protocol abuse leads to post-exploitation using PowerShell
One Word file we analyzed exploited the DDE vulnerability to download and execute a PowerShell script using a post-exploitation framework.
Filename - Communications_Suggestions_by_Press_Office_Director.docx
The document looks like this:
Fig1: Malicious document
Generally, fake documents like this are spread via an email campaign targeting small and large groups of businesses in numerous industry sectors.
The workflow of the document is as follows:
Fig2: Document Workflow (case I)
In this document, the attacker uses the DDE protocol to launch a Windows command line tool (cmd.exe), which uses PowerShell to download and execute the malware from a given URL.
The field content looks like this:
Fig3: DDE field code
It downloads and executes a file using cmd.exe and PowerShell, which is present at the following URL: hxxp://citycarpark[.]my/components/com_admintools/mscorier.
The downloaded data (mscorier) is an obfuscated batch script that creates a PowerShell script and executes it.
Fig4: Obfuscated batch script (payload 1)
This script downloads another payload (wsdprintproxy) from hxxp://185.128.42[.]194/wsdprintproxy and stores it in the following registry to make itself persistent:
Fig5: Storing payload 2 in registry
Fig6: Registry entry of payload 2
For persistence, payload 1 also creates two scheduled tasks, which execute the obfuscated script.
Fig7: Code for persistence
One scheduled task is created with name FlashUpdateServiceInit, which runs daily at 11:00 a.m., and another task with name FlashUpdateService, which runs daily at 3:00 p.m.
After these tasks run, the script bypasses the PowerShell ScriptBlock logging, which means that the first execution of the malicious script will turn off all further logging.
Fig8: Enabling script block logging
To download its next payload, the malware initiates a GET request with the cookie “session=j4ppw/hpWdU/l5V3v9eymlAYxmE=” and downloads payload 3 from hxxps://185.128.42[.]194:8080/news.php.
Fig9: Downloading payload 3 from server
Fig10: Downloaded encrypted payload 3
The downloaded data is encrypted with RC4.
Data[0:4] = IV
Data[4:length(Data)] = Encrypted data
Key is hardcoded in the script which is:
Key = “a231fe7690a85f02eb147f53229c8e02”
Fig11: RC4 algorithm
The script will decrypt the downloaded data. It is, again, a PowerShell script, which is executed after decryption.
The decrypted PowerShell script sends the encrypted RSA key with “IV” to the server at: hxxps://185.128.42[.]194:8080/news.php. In response, the server sends the encrypted AES key to victim.
The script fetches information from the victim’s machine, encrypts it with the AES key, and sends it to the server at: hxxps://185.128.42[.]194:8080/process.php.
Nonce|Server_URL|UserDomainName|UserName|Machine|IPAddress|OperatingSystem|True(if UserName=”system”)Otherwise False|CurrentProcessName|ProcessID|powershell|PowershellVersion
The server responds with the final payload PowerShell script which appears to be a part of the PowerShell empire framework post-exploitation.
Transactions of this post-exploitation framework look like this:
Fig12: Network transactions
The PowerShell empire is a post-exploitation framework that provides a Metasploit-like framework in PowerShell and Python. It includes different types of backdoors with multiple modules. It deals strictly with Windows machines and is extremely useful in penetration testing. In some cases, however, attackers use this framework to hijack a user’s system and perform malicious activities.
Case II: DDE protocol abuse leads to Locky ransomware
In another recent case, a campaign of spam emails was delivering a Word document attachment that used the DDE technique, and the final payload of that campaign is Locky ransomware.
Fig 13: DDE protocol abuse leads to Locky ransomware (case II)
In this case, attackers are writing obfuscated malicious field code in Word documents to evade detection; this code can be found in word-document.xml after extraction.
Fig14: Field word-document.xml obfuscated code
The exploit downloads the encoded PowerShell script from: hxxp://lestrangeresearch[.]com/kdjsw23FGS. It then decodes and executes it through cmd.
Fig15: Encoded PowerShell (payload 1)
The decoded script look like this:
Fig16: Decoded PowerShell script (payload 1)
The decoded PowerShell script has six hardcoded malicious URLs.
The script will try to download the content from a URL and store it in %temp% with the name hti4.exe. Upon successful download, the script executes the downloaded file.
Fig17: Downloaded payload 2
Payload 2 is the intermediate payload. Its function is to check the system for specified parameters. If it satisfies specific criteria, it then downloads encrypted data from: hxxp://spooner-motorsport[.]com.
Fig18: Encrypted Locky ransomware (payload 3)
This encrypted data is decrypted and launched by the intermediate payload (payload 2).
After decryption, the final payload is Locky ransomware, which encrypts the files, appends the .asasin extension after encryption, and demands ransom in Bitcoin for decryption.
Fig19: Ransom note (asasin.bmp)
Fig20: Locky payment site
Case III: Attack in New York
Recently, researchers at McAfee found a new phishing campaign from Russia's hacking group APT28 known as “Fancy Bear.”
APT28 capitalized on the recent terror attack in New York City by spreading email with an attached malicious Word document named IsisAttackInNewYork.docx, and the document appears to leverage the DDE technique.
In this case, the first-stage payload was a PowerShell script that downloads another base64 encoded PowerShell script. After that, the second-stage payload script downloads a new variant of Seduploader, which is spyware capable of taking screenshots, gathering sensitive data, and other intrusive activities.
If a document contains embedded malicious DDE code, it shows the following warning to users as they open it.
Fig 21: Microsoft Word warning
The best way to prevent this DDE attack vector is to click “No” when this dialog box appears; this will stop further execution of the malware.
Another way to prevent this attack is to disable it by modifying the registry.
Microsoft has also published security advisory for securely opening Microsoft documents that contain a DDE field.
Attackers are abusing the Microsoft DDE protocol to download and execute malware using PowerShell. In an earlier case, PowerShell led to an entire post-exploitation framework used for penetration testing. But attackers are using the framework for malicious purposes, such as stealing a user’s sensitive information, uploading and executing malware on a user’s machine, altering the user’s data, and so on. In recent cases, the DDE protocol led to ransomware, including Locky, which encrypts the victim’s data and demands ransom for the decryption.
The malware analyzed in this blog is detected as COM.Downloader.DDE