hacker7 Posted October 20, 2017 Share Posted October 20, 2017 Unpatched Microsoft Word DDE Exploit Being Used In Widespread Malware Attacks Thursday, October 19, 2017 A newly discovered unpatched attacking method that exploits a built-in feature of Microsoft Office is currently being used in various widespread malware attack campaigns.Last week we reported how hackers could leveraging an old Microsoft Office feature called Dynamic Data Exchange (DDE), to perform malicious code execution on the targeted device without requiring Macros enabled or memory corruption. DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data. The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.The DDE exploitation technique displays no "security" warnings to victims, except asking them if they want to execute the application specified in the command—although this popup alert could also be eliminated "with proper syntax modification." Soon after the details of DDE attack technique went public, Cisco's Talos threat research group published a report about an attack campaign actively exploiting this attack technique in the wild to target several organisations with a fileless remote access trojan (RAT) called DNSMessenger. Necurs Botnet Using DDE Attack to Spread Locky Ransomware Now, hackers have been found using the Necurs Botnet—malware that currently controls over 6 million infected computers worldwide and sends millions of emails—to distribute Locky ransomware and TrickBot banking trojan using Word documents that leverage the newly discovered DDE attack technique, reported SANS ISC. Locky ransomware hackers previously relied on macros-based booby-trapped MS Office documents, but now they have updated the Nercus Botnet to deliver malware via the DDE exploit and gain an ability to take screenshots of the desktops of victims. "What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims," Symantec said in a blog post. "It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities." Hancitor Malware Using DDE Attack Another separate malware spam campaign discovered by security researchers has also been found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit. Hancitor is a downloader that installs malicious payloads like Banking Trojans, data theft malware and Ransomware on infected machines and is usually delivered as a macro-enabled MS Office document in phishing emails. How to Protect Yourself From Word DDE Attacks? Since DDE is a Microsoft's legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields, neither the tech company has any plans of issuing a patch that would remove its functionality. So, you can protect yourself and your organisation from such attacks by disabling the "update automatic links at open" option in the MS Office programs. To do so, Open Word → Select File → Options → Advanced and scroll down to General and then uncheck "Update Automatic links at Open." However, the best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source. ٍSource Link to comment Share on other sites More sharing options...
steven36 Posted October 20, 2017 Share Posted October 20, 2017 M$ office not only causes a lot of problems with malware on Windows it's the #1 cause of malware on MAC OS too. I don't use M$ office at home but some others on my network do is this not already been mitigated by Anti-malware? DEE Exploit via filehost .exe type spoted in the wild on Filefactroy https://virustotal.com/en/file/316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea/analysis/ Word DEE Exploit https://www.virustotal.com/en/file/1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428/analysis/ Yes it has to answer my own question . Link to comment Share on other sites More sharing options...
hacker7 Posted October 20, 2017 Author Share Posted October 20, 2017 9 hours ago, steven36 said: M$ office not only causes a lot of problems with malware on Windows it's the #1 cause of malware on MAC OS too. I don't use M$ office at home but some others on my network do is this not already been mitigated by Anti-malware? DEE Exploit via filehost .exe type spoted in the wild on Filefactroy https://virustotal.com/en/file/316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea/analysis/ Word DEE Exploit https://www.virustotal.com/en/file/1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428/analysis/ Yes it has to answer my own question . Yes and in fact i know a friend who has been infected badly on Mac os Link to comment Share on other sites More sharing options...
steven36 Posted October 20, 2017 Share Posted October 20, 2017 1 minute ago, hacker7 said: Yes and in fact i know a friend who has been infected badly on Mac os Here is another Office one out in the wild . DEE Exploit Attacking Freddie Mac employees https://www.virustotal.com/en/file/a335270704e339babeb19e81dccaf3dfa0808bdd4ae7f4b1a1ddbbd65f5e017d/analysis/ Link to comment Share on other sites More sharing options...
hacker7 Posted October 20, 2017 Author Share Posted October 20, 2017 9 hours ago, steven36 said: DEE Exploit Attacking Freddie Mac employees https://www.virustotal.com/en/file/a335270704e339babeb19e81dccaf3dfa0808bdd4ae7f4b1a1ddbbd65f5e017d/analysis/ Link to comment Share on other sites More sharing options...
steven36 Posted October 20, 2017 Share Posted October 20, 2017 1 hour ago, hacker7 said: Chinese backdoor malware resurfaces after more than a decade http://www.zdnet.com/article/chinese-backdoor-malware-resurfaces-after-more-than-a-decade/ Hackers Door Link to comment Share on other sites More sharing options...
hacker7 Posted October 20, 2017 Author Share Posted October 20, 2017 9 hours ago, steven36 said: Chinese backdoor malware resurfaces after more than a decade http://www.zdnet.com/article/chinese-backdoor-malware-resurfaces-after-more-than-a-decade/ Hackers Door Quote malware can grab screenshots and files, covertly download additional tools, and open telnet and remote access port. The tool can also extract Windows user's credential from the current session and grab system information. Must say: sheers for Winnti. Malware been ruining over a decade and they just found out about it ! Quote The group is known to focus on large pharmaceutical companies and the video game industry, The Motha F**ckas must be rich by now Link to comment Share on other sites More sharing options...
hacker7 Posted October 20, 2017 Author Share Posted October 20, 2017 tho they are not even sure about windows 10 yet Link to comment Share on other sites More sharing options...
UmbraEmsisoft Posted October 21, 2017 Share Posted October 21, 2017 AV's scanners may not catch this attack but their behavior blockers or HIPS will. Link to comment Share on other sites More sharing options...
hacker7 Posted October 21, 2017 Author Share Posted October 21, 2017 9 hours ago, UmbraEmsisoft said: AV's scanners may not catch this attack but their behavior blockers or HIPS will. Are U talking about the Unpatched Microsoft Word ? or the Winnti Malware? Link to comment Share on other sites More sharing options...
UmbraEmsisoft Posted October 23, 2017 Share Posted October 23, 2017 On 10/21/2017 at 4:23 PM, hacker7 said: Are U talking about the Unpatched Microsoft Word ? or the Winnti Malware? the unpatched one. Didn't checked yet for the Winnti version. Link to comment Share on other sites More sharing options...
UmbraEmsisoft Posted October 24, 2017 Share Posted October 24, 2017 @0bin Yes uninstalled for the moment. Link to comment Share on other sites More sharing options...
UmbraEmsisoft Posted October 24, 2017 Share Posted October 24, 2017 6 hours ago, 0bin said: Try the 64bit version of SimpleDNSCrypt, I had a performance improvement. With 720 I am fine, there is not anymore the bug on scan with Hitman Pro that trigger the exploit alert in all previous ones. well spotted for SimpleDNS crypt For HMPA 720, try to run a backup with Windows Backup & Restore , and save it to another partition. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.