A recently discovered MS Word DDE Exploit, uncorrected attack method that exploits an integrated feature of Microsoft Office is currently used in several malware attack campaigns.
Last week, we reported how hackers could exploit an old Microsoft Office feature called Dynamic Data Exchange (DDE) for executing malicious code on the target device without requiring activated macros or memory corruption.
DDE is one of the methods that Microsoft uses to allow two running applications to share the same data.
The protocol is used by thousands of applications including MS Excel, MS Word, Quattro Pro and Visual Basic for single data transfer and continuous exchanges to send updates to each other.
DDE operating technique shows no warning of “security” to the victims, but ask them if they want to run the application specified in the command, but this emerging alert could also be eliminated “by changing the appropriate syntax”.
Shortly after the details of the DDE attack technique were made public, the Talos Threats Research Group released a report on an attack campaign actively exploiting this attack technique in the wild to attack several horse organizations Trojan Remote Access (RAT) called DNSMessenger.
Necurs Botnet Uses DDE Attack to Propagate Locky Ransomware
Now, it has been discovered that hackers use the Nestad Botnet-malware currently controls over 6 million infected computers worldwide and sends millions of emails to distribute-monetics and ransomware Locky Trojan TrickBot using Word documents that exploit the newly discovered DDE attack technique, reported WITHOUT ISC.
LOCKY hackers ransomware previously depended on MS Office documents on the basis of macros, but now have updated the Nercus Botnet to provide malware via the DDE to exploit and get the opportunity to take screenshots of victims desktop computers.
“The interesting thing about this new wave is that the download program now contains new features to collect telemetry victims,” Symantec said in a blog post.
“You can take screenshots and send them to a remote server. There is also a bug-dependent report that sends error information that you will find the unloader when you try to carry out their activities. ”
Hancitor Malware with DDE attack
Another independent spam campaign discovered by security researchers has also found Hancitor malware distribution (aka Chanitor and Tordal) using the MS Word DDE exploit.
Hancitor is a downloader that installs malicious payloads such as banking Trojans, malware and Ransomware infected data theft machines and is generally delivered as an MS Office document macro-activated phishing emails.
How to protect yourself from MS Word DDE Exploit?
Since DDE is a legitimate feature of Microsoft solutions, most antiviruses do not warn or block MS Office documents with DDE fields, nor does the technology company plan to release a patch that eliminates its features.
As a result, you can protect yourself and your organization from such attacks by disabling the “Automatically update open links” option in MS Office programs.
To do this, open Word → Select File → Options → Advanced and scroll down to General, then uncheck the “Update automatic links on opening” checkbox.
However, the best way to protect yourself from such attacks is always wary of any uninvited and e-mailed documents never clicking links in these documents unless the source is properly verified.