Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Dynamic Data Exchange (DDE) Code Execution in MSWord

    • Updated:
    • 5 Mar 2018
    • Product/Version:
    • Deep Discovery Analyzer 5.8
    • Deep Discovery Inspector 5.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

Sensepost published an aticle, Macro-less Code Exec in MSWord, for a new method to execute codes in Microsoft Word and this does not make use of the usual Macros. This method is through Dynamic Data Exchange (DDE) protocol.

Macroless Code Exec in MSWord

Click image to enlarge

"Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available."

At this moment, this method was seen being used on known threats such as Hancitor, Locky, and EMOTET. This flaw has been reported to Microsoft, however Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.

Details
Public

Related IOCs & Solutions

HASHVIRUS SCANBEHAVIOR MONITORING
1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428TROJ_POWLOAD.XMLBlocked
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cbTROJ_POWSHELL.IABlocked
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cfTROJ_POWSHELL.IA 
f0788436036e74103408ca9b0d8dc7c47648ec44846fb85cbb9655fe485a9fbf
(Polski Ransomware .aes extension)
TROJ_POWMET.DF 
31b8c756f789cd865060085b48e8c7c20ee1612eb897e3c044564dfd669894b8TROJ_DEDEX.BBlocked
URLsWRS
trt[.]doe[.]louisiana[.]gov/fonts.txt






Blocked
ns0[.]pw
ns0[.]site
ns0[.]space
ns0[.]website
ns1[.]press
ns1[.]website
ns2[.]press
ns3[.]site
ns3[.]space
ns4[.]site
ns4[.]space
ns5[.]biz
ns5[.]online
ns5[.]pw

To configure Trend Micro products for proactive prevention and monitoring:

Virus Scan

Enabling Virus scan (Smart Scan or Conventional Scan) allows detection of known documents utilizing this malicious behavior.

OSCE VSAPI

Refer to Related IOCs above for the detection names.

To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Scan Settings. This setting is enabled by Default on the agent.

Real-time Scan Settings

Behavior Monitoring

This feature helps block the execution of DDE when the malicious document is opened by the user. This setting is enabled by Default on the agent.

  • Detection for WINWORD.EXE with malicious DDE

    AEGIS

  • Detection for CMD.EXE from malicious DDE

    OSCE AEGIS 2

Refer to Related IOCs above for the list of known files whose behaviors are blocked by OfficeScan’s Behavior Monitoring.

To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Behavior Monitoring Settings. This setting is enabled by Default on the agent.

Behavior Monitoring Settings

Web Reputation

Enabling Web Reputation allows detection of access to known malicious URLs executed from document with DDE. This setting is enabled by Default on the agent.

Web Reputation Logs

Refer to Related IOCs above for a list of known URLs that are blocked by OfficeScan’s Web Reputation feature.

To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Web Reputation Settings. This setting is enabled by Default on the agent.

Web Reputation Settings

Known Malware Detections

This allows detection of known files with malicious DDE.

Known Malware Detections

Heuristic Detections

This allows detection of files with malicious DDE characteristics.

Heuristic Detections

To configure this setting, open DDI Management Console > Administration > Monitoring/Scanning > Threat Detections.

Threat Detections

Web Reputation Detection

This allows detection of known dangerous URL in Web Reputation Services database. This rule is enabled by default.

Web Reputation Detection

To configure this setting, open DDI Management Console > Administration > Monitoring/Scanning > Web Reputation.

Web Reputation

Firstly, we need to make sure DDAN can is configured to analyze .doc and .docx files.

Sandbox Management

 
Take note that .doc and .docx will be analyzed using the default setting.

Once files are submitted to DDAN, either through connected Trend Micro Products or through manual submission, these files will be designated as Suspicious Objects with the name VAN_DROPPER.UMXX.

Risk Level

You can view the report to check the DDAN’s Analysis and see the malicious behavior, such as processes similar to what is seen on the DDE Code embedded in the document file.

DDE Code

When integrated with Trend Micro Control Manager, users can configure to Log, Block, or Quarantine these Suspicious Objects.

Microsoft already issued a patch on Microsoft Office to prevent this kind of malicious attack. Complete Patch details can be seen on this page: Microsoft Security Update Guide.

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1118604
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.