Since new forms of cybercrime are on the rise, traditional techniques seem to be shifting towards more clandestine that involve the exploitation of standard system tools and protocols, which are not always monitored.
Security researchers at Cisco’s Talos threat research group have discovered one such attack campaign spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or memory corruption.
This Macro-less code execution in MSWord technique, described in detail on Monday by a pair of security researchers from Sensepost, Etienne Stalmans and Saif El-Sherei, which leverages a built-in feature of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is one of the several methods that Microsoft allows two running applications to share the same data. The protocol can be used by applications for one-time data transfers and for continuous exchanges in which apps send updates to one another as new data becomes available.
Thousands of applications use the DDE protocol, including Microsoft’s Excel, MS Word, Quattro Pro, and Visual Basic.
The exploitation technique that the researchers described displays no “security” warnings to victims, except asking them if they want to execute the application specified in the command—however, this popup alert could also be eliminated “with proper syntax modification,” the researchers say.
The duo has also provided a proof-of-concept video demonstrating the technique.
MS Word DDE Attack Being Actively Exploited In the Wild
As described by Cisco researchers, this technique was found actively being exploited in the wild by hackers to target several organisations using spear phishing emails, which were spoofed to make them look as if they’re sent by the Securities and Exchange Commission (SEC) and convince users into opening them.
“The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection process leading to infection with DNSMessenger malware,” reads a blog post published by Talos researchers.
Earlier March, Talos researchers found attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers.
Once opened, victims would be prompted with a message informing them that the document contains links to external files, asking them to allow or deny the content to be retrieved and displayed.
If allowed, the malicious document will communicate to the attacker hosted content in order to retrieve code that’ll be executed to initiate the DNSMessenger malware infection.
“Interestingly, the DDEAUTO field used by this malicious document retrieved code that the attacker had initially hosted on a Louisiana state government website, which was seemingly compromised and used for this purpose,” the researchers say.
How to Protect Yourself And Detect MS Word DDE Attacks
What’s more worrying? Microsoft doesn’t consider this as a security issue, rather according to the company the DDE protocol is a feature that can not be removed but could be improved with better warning alerts for users in future.
Although there’s no direct way to disable DDE code execution, users can proactively monitor system event logs to check possible exploitation.
Besides this, the researchers at NVISO Labs have also shared two YARA rules to detect DDE vector in Office Open XML files.
The best way to protect yourself from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless properly verifying the source.