Jump to content
gigiRoman

Microsoft DDE protocol based malware attacks

Recommended Posts

Sursa: https://www.zscaler.com/blogs/research/microsoft-dde-protocol-based-malware-attacks

 

Introduction

Over the past few weeks, there have been several reports about the Microsoft Dynamic Data Exchange (DDE) vulnerability. To no one's surprise, hackers have been quick to exploit this vulnerability to spread malware through rigged Microsoft Word documents.

In this same timeframe, the Zscaler ThreatLabZ team has seen a number of these malicious documents using the DDE vulnerability to download and execute malware. Most of the payloads we saw were Remote Access Trojans (RATs), ransomware, and backdoors.

In this blog, we will share a detailed technical analysis of a few of these exploitations and their payloads.

 

Background

The Microsoft Dynamic Data Exchange (DDE) protocol allows data to be transferred between applications. These applications can use DDE for one-time data transfers or for continuous exchanges; for example, a Microsoft Word document that uses data from an Excel spreadsheet is updated automatically through DDE as the spreadsheet data is updated. The DDE protocol sends messages between applications that share data and uses shared memory to exchange data between the applications. 

Microsoft Word documents have been used before to spread malware, but in those cases the victim would have to manually enable macros for the payload to be downloaded onto the victim’s system. With the DDE vulnerability (feature) in Microsoft Word, attackers can embed a malicious script that can download and execute malware without the use of macros.

 

Case I: DDE protocol abuse leads to post-exploitation using PowerShell

One Word file we analyzed exploited the DDE vulnerability to download and execute a PowerShell script using a post-exploitation framework.

Filename - Communications_Suggestions_by_Press_Office_Director.docx

The document looks like this:

uCLxeiNYMIPGj-B8GH-f_2pme5oHFmd3mKIgAt_EIKpFJARXF3JeVEipsMtfbDy92yjxQw0-wJzRzpYK0Qp2JdgoHFsvINJ4twkbJhOzB-Q75ra2YQARFwx6Gm7_a1akywEV40k

Fig1: Malicious document

Generally, fake documents like this are spread via an email campaign targeting small and large groups of businesses in numerous industry sectors.

The workflow of the document is as follows:

krH7IKZGmdxp4OOl1tBa7qowcbjW20ib9UPVWiBh_R-yqsS__jKjeASGyoT3vPkIDeqzYNZLg95QWN6nRd8mdZPtSRDCcSxLBoDC1zld278_vhkusZAZyXI6FOng-IGZPeL_Pxk

Fig2: Document Workflow (case I)

In this document, the attacker uses the DDE protocol to launch a Windows command line tool (cmd.exe), which uses PowerShell to download and execute the malware from a given URL.

The field content looks like this:

4VDkc22sGvTQpWpo786-RVjI2DIm_NzLdzqgFMxdg2gMgKBtQbqZi_hbv8VyTaA2O6jrvmuDJakZ48YBsS0tk7Xe2snExOVOYbF5YeamZ_UH9jJYyExnc9utRrXhhEUOQ2Yg8dE

Fig3: DDE field code

It downloads and executes a file using cmd.exe and PowerShell, which is present at the following URL: hxxp://citycarpark[.]my/components/com_admintools/mscorier.

The downloaded data (mscorier) is an obfuscated batch script that creates a PowerShell script and executes it.

mlyiDsXz_S-0kmf1mbvYJ6mnAIZ3-ylhnFWYDUI91MpYvikRxn1LPfJoM2BrpbWAjnmGcVO8Yo0BYVQlWpEucbBRL46rXOzmXrLhtjf4gLpxqXGGkm6gdK_Jc0GHUoglzqKAszc

Fig4: Obfuscated batch script (payload 1)

This script downloads another payload (wsdprintproxy) from hxxp://185.128.42[.]194/wsdprintproxy and stores it in the following registry to make itself persistent:

HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Themes\\ThemeVersion

B8GIYsv5Oom42gSKm91q26SVur5jpL1Wr4iLqKCjhprzmBUkBArvc1jWM_Me52VycWNclo7gHXLNTvFSVb2JDONqWIJ9UahOmm5Yw6F5QmvsweWWs5voCEj70787LFT315ifdMs

Fig5: Storing payload 2 in registry

cn7W6Ak640ZwgLQVBLZT3bzZM6XHWaHW0PdMScrpv-RfWqkoPj8h8KVCh0DpaMhwGiPHoY0_P9ozXetVBBYgzg7uSw_gngHKdPM-WqHqsCHmW07DuyckKULcri92hTsff5n7IRc

Fig6: Registry entry of payload 2

For persistence, payload 1 also creates two scheduled tasks, which execute the obfuscated script.

N2m-Z_27Qcb_ztuAn6tw48MAIFx3jSDPju4V7oO4ItJMSQ4Dx-WK2s5155VNCxPhN2CkM3bC6TslIP9Yfrb7CH_4HNp4BbxkeRMtCzSRIVc143L0BFGN7HBePdfcUiT-YMTKKfQ

Fig7: Code for persistence

One scheduled task is created with name FlashUpdateServiceInit, which runs daily at 11:00 a.m., and another task with name FlashUpdateService, which runs daily at 3:00 p.m.

After these tasks run, the script bypasses the PowerShell ScriptBlock logging, which means that the first execution of the malicious script will turn off all further logging.

5LauSa8UPsGMAJup_pHw0KaX3rOQmflYFtPS1GyfiBhSd_stu3gGPdb5O_EOBPpTlavvTsT9-rFJUQ__7Y_FbiOhgH1Rt8yifaHC_p7ph-Wqpxiab_TqeMVhkA9FhIcjzvUFlrM

Fig8: Enabling script block logging

To download its next payload, the malware initiates a GET request with the cookie “session=j4ppw/hpWdU/l5V3v9eymlAYxmE=” and downloads payload 3 from hxxps://185.128.42[.]194:8080/news.php.

-Zu9eujWTnU3gKxmMOCbMS6G9Yzqis8WgjyRRRQfqqbKZFLpd2e1-KOyMlngetLG0lfo0eHSlVVXQKgIIIksm4VDQ1LXsF0I30FjM_2lmt6ptJ5C5211ui-jnhWgpTHUbeW2GrA

Fig9: Downloading payload 3 from server

7wlNFcWnZTJd4F6PNMglqXjVhF1kl0iMQmOCvRuJnvVs683giigAuid7EZyKs3GxYAswKsQoeeUA6R7FeZmujLpMgR_FZudspGdJTZiOzCK1OiLAzoexl23uQYujVA33GKxjMxM

Fig10: Downloaded encrypted payload 3

The downloaded data is encrypted with RC4.

Data[0:4] = IV

Data[4:length(Data)] = Encrypted data

Key is hardcoded in the script which is:

Key = “a231fe7690a85f02eb147f53229c8e02”

9Ogh_evxYr2HW8ASKyBuddYF48gKDDLR9Ky6vQFe2FNzN7xvWmdF9GR1b-ljFd4W6uo4tGA-GXTnn7MzLOBYWXhQz01FQIjtITo5_SUPbvQFfBcze5HmcjqrFJ22Jv9CmlLUO0M

Fig11: RC4 algorithm

The script will decrypt the downloaded data. It is, again, a PowerShell script, which is executed after decryption.

The decrypted PowerShell script sends the encrypted RSA key with “IV” to the server at: hxxps://185.128.42[.]194:8080/news.php. In response, the server sends the encrypted AES key to victim.

The script fetches information from the victim’s machine, encrypts it with the AES key, and sends it to the server at: hxxps://185.128.42[.]194:8080/process.php.

Nonce|Server_URL|UserDomainName|UserName|Machine|IPAddress|OperatingSystem|True(if UserName=”system”)Otherwise False|CurrentProcessName|ProcessID|powershell|PowershellVersion

The server responds with the final payload PowerShell script which appears to be a part of the PowerShell empire framework post-exploitation.

Transactions of this post-exploitation framework look like this:

x6GoPq1sdJUa3kohx-fuUu6LHbhToi20RzeZMbSe0qMOvwMBH3Nu0VMb8aSpdE9xgaJhtDqC64ROLZXuTlhIsl4uJwBWQ-rzuP1QWzN8OxO2fsTEWs7_Rxv2_uKGyIUYSs8R8QY

Fig12: Network transactions

The PowerShell empire is a post-exploitation framework that provides a Metasploit-like framework in PowerShell and Python. It includes different types of backdoors with multiple modules. It deals strictly with Windows machines and is extremely useful in penetration testing. In some cases, however, attackers use this framework to hijack a user’s system and perform malicious activities.

 

Case II: DDE protocol abuse leads to Locky ransomware

In another recent case, a campaign of spam emails was delivering a Word document attachment that used the DDE technique, and the final payload of that campaign is Locky ransomware.
 

6kwyNdLTAxfAGBUjv7LqW3X4dEv6uONGsp_peb-3fdZpANt9-lWsTga_uNSS60BSZ1ABIdZ6R5jK-7d4OkPBrVNk8ynbY4dWnSZmb4M2rw8-t3W7T6TvfAP8C-GYo0L0qxeoP1M

Fig 13: DDE protocol abuse leads to Locky ransomware (case II)

In this case, attackers are writing obfuscated malicious field code in Word documents to evade detection; this code can be found in word-document.xml after extraction.

1fJKfeXFlDnjMvrvqek2gou7LWfKlfdio9Cj94QVD7mdOlYWBEGZQz-b0vRyfa9ybUIOaZi3b3BZ8JEfSdrCViDMtsMXRTtt7BsCj4yYuykg3r7DPqPbif9UEhumfGcWW3pFN7w

Fig14: Field word-document.xml obfuscated code

The exploit downloads the encoded PowerShell script from:  hxxp://lestrangeresearch[.]com/kdjsw23FGS. It then decodes and executes it through cmd.

4FqVGLhN9fZ1_U3L70kJLGfJ4IlBWl-dbZFxWiapZeZeLSjnpKiaVkm4BlTOod-s2Sk46DNPf39_Pd6r3imZ8iikWaiFjO1VUsjvdO2VenBKXToyug3BbgxgrkLZd0b2cgqv2aM

Fig15: Encoded PowerShell (payload 1)

The decoded script look like this:

3t9ib3JirvBHIv2y0jFQa9P9JTOfxf_yUsysF7troOm9OrSkw3lBtQ4IA6vYYDTaYF6LR2Y_e1QJLuykECBc8lGAbhN7u8AwL_vGY8POWPwmGXgtUMeV3crORjBjBgsDkeSn8g8

Fig16: Decoded PowerShell script (payload 1)

The decoded PowerShell script has six hardcoded malicious URLs.

The script will try to download the content from a URL and store it in %temp% with the name hti4.exe. Upon successful download, the script executes the downloaded file.

AjHP7MPA0o6czB0cp5V48iOyowc4-jOAYl4SxHgXt373ASZzzvrTtU-UGQtpJE_1BQqAuu9K0pKNAFep8pa1q2TuW2QQZhAFBTXU7DTNEtlBH8NhxqKAAmdP92T6HGV-icDaA-g

Fig17: Downloaded payload 2

Payload 2 is the intermediate payload. Its function is to check the system for specified parameters. If it satisfies specific criteria, it then downloads encrypted data from:  hxxp://spooner-motorsport[.]com.

wCm-o5mvaauZJcmgmldsX8nnRNLDGadKyz9ecBoYuOKbdu7N6YBx-SegasQ5ajXjlvUfXnyoZafXc6LyLclvg_SJIMCP5Qq75kq3nldMsjaPNYeRPWREHdP7794ztPpnuNo5L08

Fig18: Encrypted Locky ransomware (payload 3)

This encrypted data is decrypted and launched by the intermediate payload (payload 2).

After decryption, the final payload is Locky ransomware, which encrypts the files, appends the .asasin extension after encryption, and demands ransom in Bitcoin for decryption.

nmEozTANcicUraZwRLSLAqXbdPgjUJAmtAZWd83iRKREu8_xqfoGmHcGdUoO0t9nSRFXm3dgvM4BllT4py2Tzm0GtWxuOq0pxN1xo3XQ9yMsmlWmb3gLgDl4SJlC2PuM4NO-Vg8

Fig19: Ransom note (asasin.bmp)
 

GrxUobFrNEH2QbKFPRW1EFE9izoD7MpViryuR0q_4fsQ5Lm0dLq77oEGQcUWqVbFX1OVUZq9M0g3CHI63rpDOIBGWuBOyxld-SE2RwX5UPKtQu_AC1ONvDzf_OXmSdPE16UAcqg

Fig20: Locky payment site

 

Case III: Attack in New York

Recently, researchers at McAfee found a new phishing campaign from Russia's hacking group APT28 known as “Fancy Bear.”

APT28 capitalized on the recent terror attack in New York City by spreading email with an attached malicious Word document named IsisAttackInNewYork.docx, and the document appears to leverage the DDE technique.

In this case, the first-stage payload was a PowerShell script that downloads another base64 encoded PowerShell script. After that, the second-stage payload script downloads a new variant of Seduploader, which is spyware capable of taking screenshots, gathering sensitive data, and other intrusive activities.

 

Preventions:

If a document contains embedded malicious DDE code, it shows the following warning to users as they open it. 3jugSSfVleOicMVInEEeKAZNPHwZN2sXnYUsnNhYW0LnezxSp_AEuPVCMFPtMOp5pZWFQFr61OcM-Cn-G0VY3TEb4cUseVD6XjdZ60s0gSURne8yBiCsZr66NXsgh2mVTRcnIv8

Fig 21: Microsoft Word warning

The best way to prevent this DDE attack vector is to click “No” when this dialog box appears; this will stop further execution of the malware.

Another way to prevent this attack is to disable it by modifying the registry.

Microsoft has also published security advisoryfor securely opening Microsoft documents that contain a DDE field.
 

Conclusion:

Attackers are abusing the Microsoft DDE protocol to download and execute malware using PowerShell. In an earlier case, PowerShell led to an entire post-exploitation framework used for penetration testing. But attackers are using the framework for malicious purposes, such as stealing a user’s sensitive information, uploading and executing malware on a user’s machine, altering the user’s data, and so on. In recent cases, the DDE protocol led to ransomware, including Locky, which encrypts the victim’s data and demands ransom for the decryption.

The malware analyzed in this blog is detected as COM.Downloader.DDE

  •  
  •  
  •  
  •  
  •  
 
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...