Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced
Forget KRACK, good ol' Office malware has biz workers in its sights again
Updated Malware exploiting Microsoft Word's DDE features to infect computers has been lobbed at US government-backed mortgage biz Freddie Mac.
Well-crafted phishing emails were sent to staff promising free tickets to a Halloween event at a nearby Six Flags amusement park. If employees click through a link in the message, they're receive an Office document to register and a prompt warning that the file wants to access data from other apps appears. If OK is clicked, a payload is downloaded from a Halloween-themed domain – sixflags-frightfest.com – for extra authenticity.
This payload is a Visual Basic script that tries to obfuscate its execution by pivoting through Microsoft Excel before unpacking a secondary payload that decodes another packed bunch of data that eventually turns into a generic nasty known as Cometsys or Cometer that appears to open a backdoor to receive further commands and siphon off internal data to its masterminds.
"Notice the above payload begins by modifying the registry for additional privileges," explained network security firm Inquest on Tuesday.
"This is done in order to pivot execution through Microsoft Excel. Once modified, it later restores the registry setting to the previous value. This technique is generally used to mask execution chains in an attempt to hide from endpoint security solutions."
It's the latest in a series of cyber-attacks leveraging DDE, which seems to be popular again with malware developers. Microsoft still supports it, so expect to see more of this kind of attack.
Good intentions go bad
DDE is, frankly, ancient: it was introduced in Windows 2.0 back in 1987 and, at the time, it was a pretty good idea. The protocol allows Office files to share data so that, for example, you could embed an Excel spreadsheet in a Word document.
So far so good, but from a malware perspective, it's an interesting way to evade security software. A clean file, such as the Word document used in the Freddie Mac case, can be spammed out and security filters will let it through, but the document can use DDE to pull in payloads and run them, if the user allows it.
That last point is crucial, and without victims carelessly clicking on OK buttons, the attack won't work. Fooling people into clicking OK on dialogue boxes isn't hard – most users, particularly non-technical ones, will just click OK to get on with what they are doing...
The software actually asks users twice to OK the data exchange. The first warning box asks if you're OK bringing in linked files, and the second states there's a problem and asks permission to execute commands via cmd.exe. For seasoned users, this should set off alarm bells. For non-savvy people in a hurry to go to Six Flags, it's another whizzbang space-age technospeak jargon-pest to click through.
Not a bug but a feature
Analysis by security consultancy Sensepost last week showed that this second box, the more alarming one for users, can be hidden by tweaking the syntax in the exploit code. This means marks only have to click on one OK button to become infected. This makes infiltrating and spying on an organization a lot easier.
However, Redmond has made it clear that because the user needs to OK, this is a WONTFIX issue.
"Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug," Sensenet claimed after alerting the Windows giant to the bypass.
That may change, however, if exploitation rates of DDE expand, and it's looking like they are. On Tuesday, Brad Duncan from the Internet Storm Center wrote that he has already seen scumbags pushing Hancitor malware – also known as Chanitor or Tordal – using DDE. ®
Updated to add
“This technique requires a user to disable Protected Mode and click through one or more additional prompts. We encourage customers to use caution when opening suspicious email attachments,” a Microsoft spokesperson told The Register after this story was published.
The spokesperson also claimed that the file mentioned in the Inquest blog post would have been stopped by Windows' builtin security. Let's hope it nails whatever malware is lobbed around next.