Last calendar week we reported how hackers could leveraging an one-time Microsoft Office characteristic called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or retention corruption.
DDE protocol is ane of the several methods that Microsoft uses to permit 2 running applications to part the same data.
The protocol is existence used past times thousands of apps, including MS Excel, MS Word, Quattro Pro, in addition to Visual Basic for one-time information transfers in addition to for continuous exchanges for sending updates to ane another.
The DDE exploitation technique displays no "security" warnings to victims, except bespeak them if they desire to execute the application specified inward the command—although this popup warning could equally good hold upwards eliminated "with proper syntax modification."
Soon later the details of DDE develop on technique went public, Cisco's Talos threat question grouping published a study almost an develop on displace actively exploiting this develop on technique inward the wild to target several organisations amongst a fileless remote access trojan (RAT) called DNSMessenger.
Necurs Botnet Using DDE Attack to Spread Locky Ransomware
Now, hackers direct keep been constitute using the Necurs Botnet—malware that currently controls over vi ane 1000 k infected computers worldwide in addition to sends millions of emails—to distribute Locky ransomware in addition to TrickBot banking trojan using Word documents that leverage the newly discovered DDE develop on technique, reported SANS ISC.
Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, precisely right away they direct keep updated the Nercus Botnet to deliver malware via the DDE exploit in addition to attain an mightiness to direct keep screenshots of the desktops of victims.
"What’s interesting almost this novel moving ridge is that the downloader right away contains novel functionality to assemble telemetry from victims," Symantec said inward a blog post.
"It tin direct keep enshroud grabs in addition to ship them dorsum to a remote server. There’s equally good an error-reporting capability that volition ship dorsum details of whatever errors that the downloader encounters when it tries to deport out its activities."
Hancitor Malware Using DDE Attack
Another dissever malware spam displace discovered past times safety researchers has equally good been constitute distributing Hancitor malware (also known equally Chanitor in addition to Tordal) using Microsoft Office DDE exploit.
Hancitor is a downloader that installs malicious payloads similar Banking Trojans, information theft malware in addition to Ransomware on infected machines in addition to is unremarkably delivered equally a macro-enabled MS Office document inward phishing emails.
How to Protect Yourself From Word DDE Attacks?
Since DDE is a Microsoft's legitimate feature, most antivirus solutions produce non flag whatever warning or block MS Office documents amongst DDE fields, neither the tech companionship has whatever plans of issuing a spell that would take its functionality.
So, you lot tin protect yourself in addition to your arrangement from such attacks past times disabling the "update automatic links at open" alternative inward the MS Office programs.
To produce so, Open Word → Select File → Options → Advanced in addition to scroll downwardly to General in addition to and thence uncheck "Update Automatic links at Open."
However, the best agency to protect yourself from such attacks is ever to hold upwards suspicious of whatever uninvited document sent via an e-mail in addition to never click on links within those documents unless adequately verifying the source.
Share This :
comment 0 Comments
more_vert