Exploitation of the Microsoft® Dynamic Data Exchange (DDE) protocol is increasingly being used to launch malicious code in weaponized email attachments. A native feature in Microsoft, DDE allows data to be pulled from other sources, such as updating a spreadsheet from an external database. As with many features, DDE can be leveraged for malicious purposes.
Old Dog, New Tricks
Malicious email attachments are nothing new, but the traditional attack vector has been via macros embedded into the files. Macros are simply shortcuts for sequences of commands and/or keystrokes. Studies show that at least a quarter of phishing attempts involve malicious macros embedded in Microsoft Office documents. As noted by the SANS Internet Storm Center, “…attackers are using DDE because it’s different. We’ve been seeing the same macro-based attacks for years now, so perhaps criminals are trying something different just to see if it works any better.”
Apparently, DDE exploitation does work, as observed in several malware campaigns, including distribution of Locky ransomware through the Necurs botnet and also in the spread of the Hancitor downloader. The technique was also used against Fannie Mae employees in October 2017, when attackers sent phishing emails promising free tickets to a Halloween event at a local Six Flags amusement park. More recently, DDE exploitation was found being used in the Dridex banking trojan to execute a shell command to download malware. It was also used in association with the distribution of the Zyklon backdoor.
Of Course, There’s a Metasploit Module for That
The DDE exploit can be created using custom Metasploit modules available through GitHub and other sources. The LookingGlass™ research team tested a module designed to open a backdoor communication channel (reverse shell) between the victim and attacker.
Once the exploit is configured, the next step is crafting the malicious Microsoft Office document. This is done by inserting a coded field that contains the output from the Metasploit DDE module.
Syntax of the code in our test case is as follows:
The document is then sent to victims, typically via a phishing email, and targets Microsoft Word in a Windows operating system. When the victim opens the document, they are presented with a pop-up that prompts them to “update” the document with data from linked files. The default response is no, but if the user clicks yes, the malicious code will be launched using the Microsoft HTML Application Host (mshta.exe) and PowerShell to retrieve the HTML Application (HTA) payload from the remote server.
In our test case, the code enabled a connection back to our “attack” server. From that session, we were able to remotely run commands and upload and download files. This activity was not readily observable from the victim computer. Interestingly, the connection remains open even if the document is closed.
Avoiding the DDE Phishing Hook
Unfortunately, infected files are not easy to signature since the exploits can vary widely in syntax and the documents themselves can contain a variety of text and images.
If you are a systems admin or IT practitioner, here are some things you can do to protect your organization’s network:
- Download Windows Defender (can detect use of DDE exploits and you can turn off DDE itself in the Windows registry)
- Monitor outbound connections, particularly on unusual ports
- Phishing education
At this point, we all know cyber threats are becoming more sophisticated and targeted. Creating a culture of security in your organization and basic cyber hygiene is the easiest and fastest way to keep your networks clean and the bad guys out.
Want more insights like this into new vulnerabilities and exploits? Learn more here.