Less than a week after a Sensepost blog highlighted how to abuse Microsoft Office functionality to deliver malware to systems via phishing messages, PhishMe® observed attackers abusing this feature of Microsoft Windows. This highlights how quickly malicious actors capitalize on such revelations, outpacing many organizations’ abilities to understand and respond to emerging threats.
On 9 October 2017, Sensepost security researchers published a report detailing how Microsoft Word’s Dynamic Data Exchange (DDE) protocol functionality can be leveraged to command execution in Word without using Macros or memory corruption. The DDE protocol has been a part of Microsoft Windows since version 2.0 in 1987. DDE enables documents to exchange information, which is very useful. For example, a sales report in Word can request updated figures from an Excel worksheet or Access database, streamlining sharing of information. However, as seen in figure 1, this functionality can be abused by crafting a special set of instructions in the DDE field embedded in the document to launch PowerShell (the command line) and run arbitrary code.
Figure 1 – PowerShell scripting used in conjunction with DDE to deliver malware
Shortly after the blog was published, PhishMe observed phishing messages containing documents with malicious DDE fields designed to deliver the Chanitor malware, also known as Hancitor. The DocuSign-themed emails prompted recipients to click a link, similar to figure 2, or open a document to access allegedly important documents requiring a signature. The URL would download a Word document and once opened, launched PowerShell commands to download and run Chanitor malware. Chanitor is a modular downloader malware used to both report newly infected machines to a command-and-control host and to deliver additional malware.
Figure 2 – A nondescript prompt allows users to enable the malware content to execute
From there, the attack leveraged subsequent malware payloads to collect stored credentials for exfiltration, establish communication with botnet command and control, and to add anti-analysis functionality, as further detailed in PhishMe Active Threat Report ID 10120.
Macro scripting in Microsoft Office has long been an avenue for malware delivery. As this attack vector recently became popular again, information security professionals have responded by educating their users to remain vigilant and to not click on an “Enable Macros” banner as seen below in figure 3.
Figure 3 – Example of “Enable Macros” prompt so familiar to information security professionals
In the past year, malicious actors have tried to change the appearance of their attacks to build legitimacy with the targeted victim and to make it difficult for the recipient to determine the documents content. For example, as shown in figure 4, some attacks started to include password-protected documents.
Figure 4 – Password protection makes identifying the content of a document more difficult
Additionally, Object Linking and Embedding (OLE) abuse further altered the interaction required from the user and made it easier for a malicious actor to deliver malware. In addition to providing the user with fewer indications of trouble, both this and password protection allow the attacker to circumvent security technologies. Specifically, precision required to click on an OLE object’s icon, as shown in figure 5, may exceed the parameters of automated input for an inline security sandbox, while a password-protected document would not reveal its content.
Figure 5 – OLE object abuse provides advantages to attackers in malware delivery
This DDE abuse tactic is the latest evolution in the abuse of Microsoft Office features and since this behavior abuses a functionality built into the Microsoft Office suite, attackers will almost certainly continue to abuse the protocol for the foreseeable future.
PhishMe continues to follow the worrisome escalation of Microsoft Office abuse techniques. This most recent example highlights how malicious actors leverage legitimate functionalities and emphasizes the importance of educating users effectively and remaining vigilant in tracking evolving techniques (and their associated prompts).
Your staff is the last line of defense. It is critical that they are trained to be recognize and report suspicious emails. And don’t ever miss another threat! Sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.