DDE exploits still happening despite Microsoft updates to stop them

Haythem Elmir

We are still seeing malware campaigns using the DDE exploit These are somewhat different to earlier versions and the word docs do contain macros with a very basic base64 encoded PowerShell script that contains the DDE exploit. Using Office Malscanner  only shows the macro with a DDE Auto command not a separate DDE embedded object in the same way the previous versions did.

The original email was uploaded to our submissions system on 22 December 2017. I tried the links in the email several times over the last few days and always got a time out with no response, even trying via numerous proxy servers worldwide. Today I actually got a response and downloaded the malicious Word Doc that contains the DDE exploit in the macro.  The original uploader thought this was a phishing email because he also didn’t get any payload delivered to him.

The email pretends to be from Ebay asking you to download an invoice. Unfortunately, today,  the site(s) the PowerShell tries to contact are giving a 404 response so I have no idea what the eventual payload was supposed to be. This post therefore is a general information post about the use of DDE in Macros

You can now submit suspicious sites, emails and files via our Submissions system

What makes these much worse than normal Macros or embedded ole objects to deal with are the rather innocuous warnings that Word gives when the Word doc is opened, which unwitting recipients are possibly more likely to click through, because they don’t understand it. Combining Macros with DDE exploit means that the prospective victim has to click through 4 or 5 warnings to actually be infected by these sorts of scam, phishing malware emails.

Asking somebody to update links seems innocent enough and many recipients will click yes, just because they have no idea what it means. Clicking NO will stop this exploit. If you click yes, you should then get a  second alert saying something like ” The remote data is not accessible  do you want to start the application C:\windows\sytem32\program.exe?”  However we believe  it is possible for the malware author to hide or bypass the second message and automatically script the file to run.

To read the original article:

Laisser un commentaire

Next Post

Fortinet FortiClient Windows privilege escalation vulnerability (CVE-2017-7344) at logon

Summary Editor: Fortinet Product: FortiClient Title: Fortinet FortiClient Windows privilege escalation at logon CVE ID: CVE-2017-7344 Intrinsec ID: ISEC-V2017-01 Risk level: high Exploitable: Locally, or remotely if the logon screen is exposed (e.g. through RDP without NLA required). Requires non-default configuration on the client (« Enable VPN before logon »). Requires an invalid […]