Sensepost published an aticle, Macro-less Code Exec in MSWord, for a new method to execute codes in Microsoft Word and this does not make use of the usual Macros. This method is through Dynamic Data Exchange (DDE) protocol.
Click image to enlarge
"Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available."
At this moment, this method was seen being used on known threats such as Hancitor, Locky, and EMOTET. This flaw has been reported to Microsoft, however Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.
Related IOCs & Solutions
| HASH | VIRUS SCAN | BEHAVIOR MONITORING |
|---|---|---|
| 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 | TROJ_POWLOAD.XML | Blocked |
| bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb | TROJ_POWSHELL.IA | Blocked |
| 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf | TROJ_POWSHELL.IA | |
| f0788436036e74103408ca9b0d8dc7c47648ec44846fb85cbb9655fe485a9fbf (Polski Ransomware .aes extension) | TROJ_POWMET.DF | |
| 31b8c756f789cd865060085b48e8c7c20ee1612eb897e3c044564dfd669894b8 | TROJ_DEDEX.B | Blocked |
| URLs | WRS |
|---|---|
| trt[.]doe[.]louisiana[.]gov/fonts.txt | Blocked |
| ns0[.]pw | |
| ns0[.]site | |
| ns0[.]space | |
| ns0[.]website | |
| ns1[.]press | |
| ns1[.]website | |
| ns2[.]press | |
| ns3[.]site | |
| ns3[.]space | |
| ns4[.]site | |
| ns4[.]space | |
| ns5[.]biz | |
| ns5[.]online | |
| ns5[.]pw |
To configure Trend Micro products for proactive prevention and monitoring:
Virus Scan
Enabling Virus scan (Smart Scan or Conventional Scan) allows detection of known documents utilizing this malicious behavior.
Refer to Related IOCs above for the detection names.
To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Scan Settings. This setting is enabled by Default on the agent.
Behavior Monitoring
This feature helps block the execution of DDE when the malicious document is opened by the user. This setting is enabled by Default on the agent.
-
Detection for WINWORD.EXE with malicious DDE
-
Detection for CMD.EXE from malicious DDE
Refer to Related IOCs above for the list of known files whose behaviors are blocked by OfficeScan’s Behavior Monitoring.
To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Behavior Monitoring Settings. This setting is enabled by Default on the agent.
Web Reputation
Enabling Web Reputation allows detection of access to known malicious URLs executed from document with DDE. This setting is enabled by Default on the agent.
Refer to Related IOCs above for a list of known URLs that are blocked by OfficeScan’s Web Reputation feature.
To configure this setting, open OfficeScan Management Console > Agents > Agent Management > Select Agent > Settings > Web Reputation Settings. This setting is enabled by Default on the agent.
Known Malware Detections
This allows detection of known files with malicious DDE.
Heuristic Detections
This allows detection of files with malicious DDE characteristics.
To configure this setting, open DDI Management Console > Administration > Monitoring/Scanning > Threat Detections.
Web Reputation Detection
This allows detection of known dangerous URL in Web Reputation Services database. This rule is enabled by default.
To configure this setting, open DDI Management Console > Administration > Monitoring/Scanning > Web Reputation.
Firstly, we need to make sure DDAN can is configured to analyze .doc and .docx files.
Once files are submitted to DDAN, either through connected Trend Micro Products or through manual submission, these files will be designated as Suspicious Objects with the name VAN_DROPPER.UMXX.
You can view the report to check the DDAN’s Analysis and see the malicious behavior, such as processes similar to what is seen on the DDE Code embedded in the document file.
When integrated with Trend Micro Control Manager, users can configure to Log, Block, or Quarantine these Suspicious Objects.
Microsoft already issued a patch on Microsoft Office to prevent this kind of malicious attack. Complete Patch details can be seen on this page: Microsoft Security Update Guide.
