Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Dynamic Data Exchange (DDE) Code Execution in MSWord

    • Updated:
    • 20 Nov 2017
    • Product/Version:
    • Deep Discovery Analyzer 5.8
    • Deep Discovery Inspector 5.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
Summary

Sensepost published an aticle, Macro-less Code Exec in MSWord, for a new method to execute codes in Microsoft Word and this does not make use of the usual Macros. This method is through Dynamic Data Exchange (DDE) protocol.

Macroless Code Exec in MSWord

Click image to enlarge

"Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available."

At this moment, this method was seen being used on known threats such as Hancitor, Locky, and EMOTET. This flaw has been reported to Microsoft, however Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.

Details
Public

Related IOCs & Solutions

HASHVIRUS SCANBEHAVIOR MONITORING
1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428TROJ_POWLOAD.XMLBlocked
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cbTROJ_POWSHELL.IABlocked
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cfTROJ_POWSHELL.IA 
f0788436036e74103408ca9b0d8dc7c47648ec44846fb85cbb9655fe485a9fbf
(Polski Ransomware .aes extension)
TROJ_POWMET.DF 
31b8c756f789cd865060085b48e8c7c20ee1612eb897e3c044564dfd669894b8TROJ_DEDEX.BBlocked
URLsWRS
trt[.]doe[.]louisiana[.]gov/fonts.txt






Blocked
ns0[.]pw
ns0[.]site
ns0[.]space
ns0[.]website
ns1[.]press
ns1[.]website
ns2[.]press
ns3[.]site
ns3[.]space
ns4[.]site
ns4[.]space
ns5[.]biz
ns5[.]online
ns5[.]pw

Configure Trend Micro products for proactive prevention and monitoring:

Virus Scan

OSCE VSAPI

Behavior Monitoring

  • Policy detection for WINWORD.exe

    AEGIS

  • Policy detection for cmd.exe

    OSCE AEGIS 2

  • Suspicious Object Detection (File)

    Suspicious Object Detection

DDI Official Rule ID 2522: DEDEX – HTTP(Request)

  • Block C&C connections of TROJ_DEDEXE

    DDI

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1118604
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.