With the rapid evolution of cybercrime, traditional defenses are increasingly being overwhelmed by attacks that exploit commonly used system tools and protocols. A recent investigation by Cisco’s Talos threat research group uncovered a campaign utilizing malware-laden Microsoft Word documents capable of executing code without requiring Macro permissions or corrupting memory.

The method known as “macro-less code execution” leverages the Dynamic Data Exchange (DDE) feature in Microsoft Office applications. Described on Monday by security researchers Etienne Stalmans and Saif El-Sherei from Sensepost, this sophisticated strategy allows for malicious code execution by taking advantage of built-in functionalities in MS Word.

Dynamic Data Exchange is a long-established protocol facilitating data sharing between applications. While primarily intended for legitimate one-time transfers or ongoing data updates, it can also be misused to transport malicious payloads without triggering security alerts typically associated with more overt exploits.

Thousands of applications, including MS Word, Excel, and Quattro Pro, utilize the DDE protocol. Crucially, the attack technique described by Stalmans and El-Sherei initiates without raising typical security warnings. The only prompt a victim sees may inquire whether they wish to run a specified application, a dialog that could potentially be eliminated with slight modifications to the code syntax.

Talos indicates that these attacks are actively deployed in the wild. Recent findings reveal hackers targeting numerous organizations through spear phishing emails, deceptively crafted to mimic communications from the U.S. Securities and Exchange Commission (SEC). These emails contained harmful attachments that initiated a comprehensive, multi-stage infection process leading to the deployment of DNSMessenger malware—a fileless trojan utilizing DNS queries for remote control of compromised systems.

Upon opening the malicious document, users receive a notification stating that the document includes links to external files and must approve or deny content retrieval. If permitted, the document can communicate with an attacker-controlled server to download and execute code that facilitates the DNSMessenger infection. Notably, the DDEAUTO field used in the attack appears to have retrieved its payload from a compromised Louisiana state government website.

Despite these security vulnerabilities, Microsoft does not categorize the DDE protocol as a threat. The company contends that while the DDE feature cannot be entirely disabled, they are exploring enhancements to provide users with better alerts about potential risks.

While a direct mechanism to disable DDE code execution does not exist, organizations can take proactive steps to monitor system logs to detect unusual activities indicative of exploitation attempts. Security researchers at NVISO Labs have even provided YARA rules to help identify DDE vectors in Office Open XML files.

To mitigate risks associated with such cyber threats, it is paramount for businesses to exercise caution regarding unsolicited documents received via email and to refrain from clicking links without verifying the sender’s authenticity. Understanding the tactics outlined in the MITRE ATT&CK framework, including initial access and persistence techniques, can further guide organizations in fortifying their defenses against evolving cyber threats.

Found this article interesting? Follow us on Google News, Twitter, and LinkedIn to read more exclusive content we post.

Source link