Security researchers at Cisco's Talos threat enquiry grouping bring discovered ane such ready on crusade spreading malware-equipped Microsoft Word documents that perform code execution on the targeted device without requiring Macros enabled or retentiveness corruption.
This Macro-less code execution inwards MSWord technique, described inwards item on Mon yesteryear a distich of safety researchers from Sensepost, Etienne Stalmans in addition to Saif El-Sherei, which leverages a built-in characteristic of MS Office, called Dynamic Data Exchange (DDE), to perform code execution.
Dynamic Data Exchange (DDE) protocol is ane of the several methods that Microsoft allows ii running applications to portion the same data. The protocol tin hold upward used yesteryear applications for old information transfers in addition to for continuous exchanges inwards which apps ship updates to ane to a greater extent than or less other every bit novel information becomes available.
Thousands of applications utilisation the DDE protocol, including Microsoft's Excel, MS Word, Quattro Pro, in addition to Visual Basic.
The exploitation technique that the researchers described displays no "security" warnings to victims, except shout out for them if they desire to execute the application specified inwards the command—however, this popup alarm could also hold upward eliminated "with proper syntax modification," the researchers say.
MS Word DDE Attack Being Actively Exploited In the Wild
As described yesteryear Cisco researchers, this technique was flora actively beingness exploited inwards the wild yesteryear hackers to target several organisations using pike phishing emails, which were spoofed to brand them await every bit if they're sent yesteryear the Securities in addition to Exchange Commission (SEC) in addition to convince users into opening them.
"The emails themselves contained a malicious attachment [MS Word] that when opened would initiate a sophisticated multi-stage infection procedure leading to infection amongst DNSMessenger malware," reads a blog post published yesteryear Talos researchers.Earlier March, Talos researchers flora attackers distributing DNSMessenger—a completely fileless remote access trojan (RAT) that uses DNS queries to behave malicious PowerShell commands on compromised computers.
Once opened, victims would hold upward prompted amongst a message informing them that the document contains links to external files, shout out for them to allow or deny the content to hold upward retrieved in addition to displayed.
"Interestingly, the DDEAUTO plain used yesteryear this malicious document retrieved code that the assailant had initially hosted on a Louisiana terra firma authorities website, which was seemingly compromised in addition to used for this purpose," the researchers say.
How to Protect Yourself And Detect MS Word DDE Attacks
What's to a greater extent than worrying? Microsoft doesn't consider this every bit a safety issue, rather according to the companionship the DDE protocol is a characteristic that tin non hold upward removed only could hold upward improved amongst ameliorate warning alerts for users inwards future.
Although there's no straight agency to disable DDE code execution, users tin proactively monitor scheme outcome logs to cheque possible exploitation.
The best agency to protect yourself from such malware attacks is e'er to hold upward suspicious of whatever uninvited document sent via an electronic mail in addition to never click on links within those documents unless properly verifying the source.
Share This :
comment 0 Comments
more_vert