“Fancy Bear” Hackers Using Microsoft Dynamic Data Exchange Exploit
Microsoft’s DDE feature is designed to allow Office files to include links to other remote files, like hyperlinks between documents. But it can also be used to pull malware onto a victim’s computer when they merely open a document, and then click through an innocuous prompt asking them if they “want to update this document with data from the linked files?”
The apt28 hackers appear to be using that technique to infect anyone who clicks on attachments with names like SabreGuard2017.docx and IsisAttackInNewYork.docx. In combination with the scripting tool PowerShell, they install a piece of reconnaissance malware called Seduploader on victims’ machines. They then use that initial malware to scope out their victim before deciding whether to install a more fully featured piece of spyware—one of two tools known as X-Agent and Sedreco.
According to McAfee, the malware samples, the domains of the command-and control servers that malware connects to, and the targets of the campaign all point to APT28, a group believed to be working in the service of Russia’s military intelligence agency GRU. As APT28 exploits the latest Microsoft Office hacking technique in a new campaign, Microsoft itself has said that it has no plans to alter or patch its DDE function; it considers DDE(Dynamic Data Exchange) a feature that’s working as intended. Microsoft noted that the DDE attack only works when Windows’ Protected Mode setting is disabled, and only if the user clicks through the prompts that the attack requires. “As always, we encourage customers to use caution when opening suspicious email attachments”.