Microsoft Office DDE Exploit

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

Microsoft Office DDE Exploit

Please follow and like us:

“Fancy Bear” Hackers Using Microsoft Dynamic Data Exchange Exploit

Overview

Microsoft’s DDE feature is designed to allow Office files to include links to other remote files, like hyperlinks between documents. But it can also be used to pull malware onto a victim’s computer when they merely open a document, and then click through an innocuous prompt asking them if they “want to update this document with data from the linked files?”

The apt28 hackers appear to be using that technique to infect anyone who clicks on attachments with names like SabreGuard2017.docx and IsisAttackInNewYork.docx. In combination with the scripting tool PowerShell, they install a piece of reconnaissance malware called Seduploader on victims’ machines. They then use that initial malware to scope out their victim before deciding whether to install a more fully featured piece of spyware—one of two tools known as X-Agent and Sedreco.

According to McAfee, the malware samples, the domains of the command-and control servers that malware connects to, and the targets of the campaign all point to APT28, a group believed to be working in the service of Russia’s military intelligence agency GRU. As APT28 exploits the latest Microsoft Office hacking technique in a new campaign, Microsoft itself has said that it has no plans to alter or patch its DDE function; it considers DDE(Dynamic Data Exchange) a feature that’s working as intended. Microsoft noted that the DDE attack only works when Windows’ Protected Mode setting is disabled, and only if the user clicks through the prompts that the attack requires. “As always, we encourage customers to use caution when opening suspicious email attachments”.

About Dynamic Data Exchange

Microsoft Office provides several methods for transferring data between applications. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data, and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

Scenario

In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. As email attachments are a primary method an attacker could use to spread malware, Microsoft strongly recommends that customers exercise caution when opening suspicious file attachments.

Recommendations

Mitigating DDE Attack Scenarios

Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.

Warning: If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Microsoft Excel

Excel depends on the DDE feature to launch documents. To prevent automatic update of links from Excel (including DDE, OLE, and external cell or defined name references), refer to the following table for the registry key version string to set for each version:

Office Version Registry Key <version> string
Office 2007 12.0
Office 2010 14.0
Office 2013 15.0
Office 2016 16.0

 

  • To disable the DDE feature via the user interface:
  • Set File->Options->Trust Center->Trust Center Settings->External Content->Security settings for Workbook Links (This will disable automatic update of Workbook Links).
  • To disable the DDE feature via the Registry Editor:
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Excel\Security] WorkbookLinkWarnings(DWORD) = 2

Impact of mitigation

Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry. Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.

Microsoft Outlook

Refer to the following table for the registry key version string to set for each Office version:

Office Version Registry Key <version> string
Office 2010 14.0
Office 2013 15.0
Office 2016 16.0

 

  • For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options\WordMail] DontUpdateLinks(DWORD)=1
  • For Office 2007, to disable the DDE feature via the Registry
  • Editor[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref]fNoCalclinksOnopen_90_1(DWORD)=1

Impact of mitigation

Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.

Microsoft Word

Refer to the following table for the registry key version string to set for each Office version:

Office Version Registry Key <version> string
Office 2010 14.0
Office 2013 15.0
Office 2016 16.0

 

  • For Office 2010 and later versions, to disable the DDE feature via the Registry Editor:
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options] DontUpdateLinks(DWORD)=1
  • For Office 2007, to disable the DDE feature via the Registry Editor
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref] fNoCalclinksOnopen_90_1(DWORD)=1
  • Impact of mitigation

Setting this registry key will disable automatic update for DDE field and OLE links. Users can still enable the update by right-clicking on the field and clicking “Update Field”.

————————————————————————————————————————————————————————————–

However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source

For more information regarding Fancy Bear’s exploits

https://www.threatconnect.com/blog/fancy-bear-leverages-blogspot/?utm_campaign=DNC%20Guccifer%202.0%20Fancy%20Bears%20Research&utm_source=twitter&utm_medium=social

References

https://technet.microsoft.com/en-us/library/security/4053440.aspx

https://thehackernews.com/2017/11/apt28-office-dde-malware.html

https://www.wired.com/story/russia-fancy-bear-hackers-microsoft-office-flaw-and-nyc-terrorism-fears/

 

Download the PDF Version

Leave a reply

Copyright © 2017