Code Execution Technique Takes Advantage of Dynamic Data Exchange

Email phishing campaigns are a popular social engineering technique among hackers. The idea is simple: Craft an email that looks enticing to users and convince them to click on a malicious link or open a malicious attachment. Weight-loss and other health-related phishing emails are common. Package deliveries, bank notices and, in the case of spear phishing, even emails from your coworkers can contain malicious links or documents. With new research related to old Microsoft Office technologies, hackers have found new techniques that makes phishing all that more effective.

Microsoft’s Dynamic Data Exchange (DDE) has been around since 1987. Its purpose is to facilitate data transfers between applications that do not require ongoing user interaction. For example, if you have an item in a document that needs to have up-to-date data from an external source such as financial data, you can use DDE to kick start a process to collect that information. In Word, this could update charts and graphs of your financial data every time you open the document. Its functionality has been superseded by other technologies, notably Object Linking and Embedding (OLE), released in 1990, but due to compatibility reasons DDE is still supported by current Windows versions and Office products. (Microsoft advises that you disable DDE.)

On August 23 SensePost told Microsoft what they saw to be a security concern, if not a vulnerability, in the behavior of DDE. Microsoft determined that DDE behaved as expected and that the issue would be considered for a next-version candidate bug. On September 10 SensePost reported their findings.

The holy grail of phishing is to get arbitrary code execution on the target box. Once attackers can execute code, the hard part is done. At this stage they can load any malicious code on the target box to steal data or hold it for ransom. The Necurs botnet, which delivers the notorious Locky ransomware, has implemented a DDE-based phishing attack. Necurs delivers crafted Word documents, using the DDE protocol upon loading, that infect systems with Locky. (For more technical details on the Necurs botnet please refer to the McAfee Labs Threat Report, June 2017.)

Exploiting DDE for code execution is relatively simple. Attackers insert a calculated field and change the field codes to proper DDE syntax. They can use the DDEAUTO or DDE field identifier to launch executables. A proof of concept shows PowerShell giving an attacker a lot of control. The user is presented with two messages. The first appears innocuous: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?” The second message, which hopefully raises more suspicion, identifies the executable being called. However, attackers have some control over this message and may be able to reduce suspicion by changing how they launch the executable. At this time, the user must click “Yes” on both pop-ups for the attack to succeed.

Not only Word documents support this technique. Researchers have shown that Outlook Calendar invites can be crafted to exploit the DDE code execution technique, removing the need to attach a malicious file. An Outlook attack can begin when users merely open their invites.

Attackers are always innovating to trick users and bypass protections. Even old technologies can play a role in new attack techniques. It is important to educate your users on phishing attempts and to pay attention to security messages asking for access to system resources. With the simplicity of this technique and quick adoption from large malware players, we can assume that many new phishing campaigns will implement DDE for initial code execution, delivering both known malware, such as Locky, and new malware to the victims.

For technical details, see “Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps.”

Leave a Comment

20 − six =