The McAfee Advanced Threat Group discovered a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled. Microsoft, McAfee, and other sources document how to identify and prevent infections from this type of attack. This ars technica article demonstrates what the attack would look like. At this time, A GPO (BWTST– Microsoft Office – Disable DDE) to disable DDE for MS Office has been created that do not use it and wish to disable it. Details on the GPO can be found here: USGS GPO Deviations
Indicators of Compromise
SHA1 Hashes
- ab354807e687993fbeb1b325eb6e4ab38d428a1e (vms.dll, Seduploader implant)
- 4bc722a9b0492a50bd86a1341f02c74c0d773db7 (secnt.dll, Seduploader implant)
- 1c6c700ceebfbe799e115582665105caa03c5c9e (IsisAttackInNewYork.docx)
- 68c2809560c7623d2307d8797691abf3eafe319a (SaberGuardian.docx)
Domains
- webviewres[.]net
- netmediaresources[.]com
IPs
- 185.216.35.26
- 89.34.111.160
McAfee coverage
Microsoft summary of the issue:
Executive Summary
Microsoft is releasing this security advisory to provide information regarding security settings for Microsoft Office applications. This advisory provides guidance on what users can do to ensure that these applications are properly secured when processing Dynamic Data Exchange (DDE) fields.
About Dynamic Data Exchange
Microsoft Office provides several methods for transferring data between applications. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.
Scenario
In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.
References:
Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack
https://technet.microsoft.com/library/security/4053440.aspx
https://arstechnica.com/information-technology/2017/11/russia-linked-fancy-bear-attacks-abuse-macro-less-ms-word-to-infect-pcs/
