Fancy Bear Adopts New DDE Attack Against Microsoft Office

Russian cyberespionage group Fancy Bear is using a recently publicized technique that abuses a legitimate Microsoft Office feature to create documents that can install malware.

For the past several years the most common method of embedding malicious code in Microsoft Office documents has been through macros, scripts that automate tasks in Office programs. In response, Microsoft has added security protections to its products to make the execution of malicious macros much more difficult.

In early October, security researchers from SensePost publicly disclosed a novel code-embedding method that takes advantage of a different Office feature called Dynamic Data Exchange (DDE). This is a mechanism that allows documents to be updated with information from external files—a functionality that Microsoft doesn’t plan to disable anytime soon.

In a new report, security researchers from McAfee warn that Fancy Bear, a Russian cyberespionage group that’s also known as APT28, Pawn Storm or Sofacy, has been using the DDE technique in phishing attacks since late October. The theme of the latest campaign was the recent terrorist attack in New York City.

The rogue document distributed in the phishing emails observed by McAfee is called IsisAttackInNewYork.docx. When opened, the file uses the DDE technique to execute a PowerShell command that pulls in and executes another PowerShell script from a remote URL.

The second script reaches out to another URL and downloads a first-stage reconnaissance implant called Seduploader that’s part of Fancy Bear’s toolset. Seduploader is used to identify potentially interesting victims and then deploy the group’s X-Agent trojan on selected systems.

“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections, but can also rapidly incorporate new exploitation techniques to increase its success,” the McAfee researchers said. “This document likely marks the first observed use of this technique by APT28.”

Fancy Bear is a sophisticated cyberespionage group that has targeted a wide variety of military, political and research organizations over the years, including the Democratic National Committee (DNC) during the U.S. elections. The group’s targeting generally reflects Russia’s geopolitical interests, which is why many security experts believe the attackers are linked to the Russian Military Intelligence Service (GRU).

However, APT28 was not the first group to adopt the DDE technique. On Oct. 11, days after the DDE method was first made public, researchers from Cisco Systems’ Talos division reported that it was being used to infect computers with DNSMessenger, a stealthy malware program that establishes a two-way communication channel with attackers via DNS TXT records.

It’s very likely that DDE-based malware attacks will not only continue but also increase in frequency, since companies have yet to train their employees to be wary of this technique. The method also works with Outlook emails and calendar invites formatted as Microsoft Outlook Rich Text Format (RTF).

On recent versions of Office, DDE-based attacks require user interaction. Users have to agree to a prompt that informs them the opened documents include links referencing other files and asks for their permission to update the documents with data from those external files.

Microsoft has published a security advisory with information on how to disable DDE in various Office programs, either through the options interface or through registry keys. Will Dormann of CERT/CC has also published a registry script on GitHub that can be used to disable DDE in several Office programs. There are also YARA rules for detecting documents containing DDE.

Windows Defender Advanced Threat Protection Gets Support for Linux, MacOS, Mobile Endpoints

Microsoft has partnered with Bitdefender, Lookout and Ziften to integrate security intelligence gathered by those companies’ endpoint security solutions for Linux, macOS, iOS and Android with the Windows Defender ATP console.

Windows Defender ATP was launched for public preview in September and gathers information about security threats and malware detections in a unified console. It allows incident responders to have a detailed and historical overview of processes and other data associated with suspicious activity. However, until now this data was only collected from Windows PCs.

“We have been working closely with our partners to ensure the integration of their solutions with Windows Defender ATP is simple and easy to implement with only a few clicks,” said Rob Lefferts, partner director in the Windows & Devices Group at Microsoft. “There are no requirements for any additional infrastructure, and once the integration is set, new events from on boarded macOS, Linux, iOS and Android devices will start surfacing into the Windows Defender ATP console.”

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 46 posts and counting.See all posts by lucian-constantin