Threat Intelligence Blog

Posted April 5, 2018

Exploitation of the Microsoft® Dynamic Data Exchange (DDE) protocol is increasingly being used to launch malicious code in weaponized email attachments. A native feature in Microsoft, DDE allows data to be pulled from other sources, such as updating a spreadsheet from an external database. As with many features, DDE can be leveraged for malicious purposes.

Old Dog, New Tricks

Malicious email attachments are nothing new, but the traditional attack vector has been via macros embedded into the files. Macros are simply shortcuts for sequences of commands and/or keystrokes. Studies show that at least a quarter of phishing attempts involve malicious macros embedded in Microsoft Office documents. As noted by the SANS Internet Storm Center, “…attackers are using DDE because it’s different. We’ve been seeing the same macro-based attacks for years now, so perhaps criminals are trying something different just to see if it works any better.”

Apparently, DDE exploitation does work, as observed in several malware campaigns, including distribution of Locky ransomware through the Necurs botnet and also in the spread of the Hancitor downloader. The technique was also used against Fannie Mae employees in October 2017, when attackers sent phishing emails promising free tickets to a Halloween event at a local Six Flags amusement park. More recently, DDE exploitation was found being used in the Dridex banking trojan to execute a shell command to download malware. It was also used in association with the distribution of the Zyklon backdoor.

Of Course, There’s a Metasploit Module for That

The DDE exploit can be created using custom Metasploit modules available through GitHub and other sources. The LookingGlass® research team tested a module designed to open a backdoor communication channel (reverse shell) between the victim and attacker.

Once the exploit is configured, the next step is crafting the malicious Microsoft Office document. This is done by inserting a coded field that contains the output from the Metasploit DDE module.

DDE exploit embedded in Word Document

DDE exploit embedded in Word Document


Syntax of the code in our test case is as follows:

DDE Exploit Code

DDE Exploit Code

The document is then sent to victims, typically via a phishing email, and targets Microsoft Word in a Windows operating system. When the victim opens the document, they are presented with a pop-up that prompts them to “update” the document with data from linked files. The default response is no, but if the user clicks yes, the malicious code will be launched using the Microsoft HTML Application Host (mshta.exe) and PowerShell to retrieve the HTML Application (HTA) payload from the remote server.

DDE Exploit Pop-Up Window

DDE Exploit Pop-Up Window


In our test case, the code enabled a connection back to our “attack” server. From that session, we were able to remotely run commands and upload and download files. This activity was not readily observable from the victim computer. Interestingly, the connection remains open even if the document is closed.

Established Connection Between Victim and Attacker

Established Connection Between Victim and Attacker


File Download Example

File Download Example

Avoiding the DDE Phishing Hook

Unfortunately, infected files are not easy to signature since the exploits can vary widely in syntax and the documents themselves can contain a variety of text and images.

If you are a systems admin or IT practitioner, here are some things you can do to protect your organization’s network:

  • Download Windows Defender (can detect use of DDE exploits and you can turn off DDE itself in the Windows registry)
  • Monitor outbound connections, particularly on unusual ports
  • Phishing education

At this point, we all know cyber threats are becoming more sophisticated and targeted. Creating a culture of security in your organization and basic cyber hygiene is the easiest and fastest way to keep your networks clean and the bad guys out.

Want more insights like this into new vulnerabilities and exploits? Learn more here.

Marcelle Lee is a LookingGlass threat researcher who is active in the cybersecurity community. Check out her upcoming speaking opportunities here and reach out to her on Twitter at @Marcelle_FSG.


Additional Posts

How One Investor Is Navigating The Cybersecurity Sector

From managing healthcare records and finances to how we do our shopping, innovative technologies ...

Diana Initiative 2018

On Thursday August 9th and Friday 10th 2018, The Diana Initiative will host a two day conference ...