Context

Cybercriminals are constantly searching for new ways to deploy malicious code on their victims' systems. Sophisticated groups are exploiting vulnerabilities 0-day While Flash Player is used for targeted attacks, it is not uncommon to see some actors adopt less sophisticated but easily applicable methods in the context of mass dissemination campaigns. malware.

This is the case for DDE (for Dynamic Data Exchange), a Windows feature used in Word and other Office products to embed dynamic external content within a document. For the past few weeks, articles have been popping up online describing how to execute arbitrary commands on a system by exploiting DDE. Today, we've seen that this opportunity hasn't escaped the notice of cybercriminals.

Let's look back at a specific case we were able to observe and the possible countermeasures.

In practice

We obtained a sample of emails from a distribution campaign of the Locky ransomware following a classic format: an attachment in .doc format, accompanied by a succinct message suggesting that it is an invoice.

By default, when opening a document containing DDE fields, Word (for example) will attempt to automatically update the content associated with these resources. Opening the document therefore displays a dialog box:

Choosing "Yes" displays a new dialog box, which contains elements of the code that will be executed and may indicate to the informed user that something suspicious is going on:

Selecting "Yes" at this point triggers the code's execution. A "No" to either option is enough to disarm the trap.

Displaying the document fields allows you to view the code associated with the DDE functionality. In our case, it's a simple PowerShell command line that downloads a script before executing it:

After several intermediate charges, the malware The final version is deployed. This was a variant of Locky :

Prevention

This analysis shows that the DDE infection vector is, in practice, very simple to implement. Fortunately for potential victims, it is necessary to confirm two dialog boxes before the payload is executed, and some of the text in these windows can alert the user to the malicious nature of the situation. These aspects may limit the effectiveness of the technique, but the analysis also shows that cybercriminals are not deterred by such considerations and are willing to try anything to surprise their targets.

It is still possible to completely eliminate the appearance of dialog boxes by disabling the DDE link update functionality when opening a document.

Individuals can protect themselves by unchecking the box Update the links on opening Advanced options for Office programs:

This setting can be controlled via Group Policy (GPO) for larger-scale deployments. First, the Office administrative templates must be installed. Then, a Group Policy Object must be created, and the following steps must be followed. User configuration > Administrative templates. From there, select the products to configure and set the link update option on Disable.

Outlook Case

This was not the case in the observed campaign, but a DDE field can also be included directly in the body of an email, without using an attachment. A new limiting factor then appears for the operation: the link updates only occur when the email is opened in editable mode, i.e., to reply to or forward it.

There is no built-in option in Outlook or in the administrative templates to block this behavior; it requires a registry modification. This change can still be deployed via Group Policy, through the registry tree. User Configuration > Preferences > Windows Settings > Registry from the GPO object editor. Next, a new Registry item must be created with the following parameters:

• Action: Update
• Hive: HKEY_CURRENT_USER
• Path: SOFTWARE\Microsoft\Office\16.0\Word\Options\WordMail
• Value name: DontUpdateLinks
• Value type: REG_DWORD
• Data value: 1

The number in the path is linked to the Office version; in this case, 16.0 corresponds to Office 2016. 15.0 is used for Office 2013, and so on; it is necessary to adapt this value to the existing environment.

Indicators of compromise

Domains used for downloading intermediate and final payloads:

• alexandradickman[.]com|98.124.251.65
• shamanic-extracts[.]biz|62.212.154.98
• conxibit[.]com|175.107.146.17
• centralbaptistchurchnj[.]org
• gdiscoun[.]org

SHA-256 hashes of the components:

• Original .doc file: ea132c34ebbc591eda78531e2bfb9a4cb40e55a245191f54e82df25be9b58db2
• Dropper intermediate: d2cca5f6109ec060596d7ea29a13328bd0133ced126ab70974936521db64b4f4
• Executable Locky : 4c054127056fb400acbab7825aa2754942121e6c49b0f82ae20e65422abdee4f

References & Acknowledgments

• Microsoft publication on external hard drives
• @ParvezGHH mentioned the method for disabling the feature.