We are still seeing malware campaigns using the DDE exploit These are somewhat different to earlier versions and the word docs do contain macros with a very basic base64 encoded PowerShell script that contains the DDE exploit. Using Office Malscanner only shows the macro with a DDE Auto command not a separate DDE embedded object in the same way the previous versions did.
The original email was uploaded to our submissions system on 22 December 2017. I tried the links in the email several times over the last few days and always got a time out with no response, even trying via numerous proxy servers worldwide. Today I actually got a response and downloaded the malicious Word Doc that contains the DDE exploit in the macro. The original uploader thought this was a phishing email because he also didn’t get any payload delivered to him.
The email pretends to be from Ebay asking you to download an invoice. Unfortunately, today, the site(s) the PowerShell tries to contact are giving a 404 response so I have no idea what the eventual payload was supposed to be. This post therefore is a general information post about the use of DDE in Macros
You can now submit suspicious sites, emails and files via our Submissions system
What makes these much worse than normal Macros or embedded ole objects to deal with are the rather innocuous warnings that Word gives when the Word doc is opened, which unwitting recipients are possibly more likely to click through, because they don’t understand it. Combining Macros with DDE exploit means that the prospective victim has to click through 4 or 5 warnings to actually be infected by these sorts of scam, phishing malware emails.
Asking somebody to update links seems innocent enough and many recipients will click yes, just because they have no idea what it means. Clicking NO will stop this exploit. If you click yes, you should then get a second alert saying something like ” The remote data is not accessible do you want to start the application C:\windows\sytem32\program.exe?” However we believe it is possible for the malware author to hide or bypass the second message and automatically script the file to run.
Opening the word doc shows this
If you enable editing, you then get
The macro looks like this
You can see several other screenshots of this in action on the Hybrid Analysis or Anyrun reports
_INVOICE__7382.doc Current Virus total detections: Hybrid Analysis | Anyrun Beta | VirusBay | tries to contact ‘http://188.8.131.52/download/s/EGeGgJSGzPkCaKE’ Which is currently giving a 404 not found
Now these are very easy to protect against by changing 1 simple setting in Microsoft Word ( provided your company does not use the DDE feature to dynamically update word files with content from Excel spreadsheets etc) See HERE for details
The Recent Microsoft Updates to Microsoft Word should have prevented these from infecting users. However I am not 100% certain that the patches will prevent DDE embedded in a Macro dropping a PowerShell script. All the details I read say it disables the DDE functionality inside word. I have Office 2013 CTR ( click to run) installed with latest updates and I can’t see the stated registry entries have been applied. In Fact the Microsoft Security Advisory does not mention 2013 CTR at all. I would advise any 2013 CTR users to enable the manual fix as shown HERE to be safe. Manually enabling the fix via word settings / Options => Advanced does prevent the DDE prompts from being shown. On my copy of 2013 CTR without me manually enabling the fix, DDE prompts still show.
I also cannot see the registry entries that are supposed to block DDE in Office 2010 when update 4011614 has been applied either.
The Microsoft post does not make it clear whether the base link in the registry is applied by the update or whether you need to create the registry entries manually, if you want to alter the new “default” block DDE behaviour.
If you need to change DDE functionality in Word after installing the update, follow these steps:
- In the Registry Editor navigate to \HKEY_CURRENT_USER\Software\Microsoft\Office\version\Word\Security AllowDDE(DWORD)
- Set the DWORD value based on your requirements as follows:
- AllowDDE(DWORD) = 0: To disable DDE. This is the default setting after you install the update.
- AllowDDE(DWORD) = 1: To allow DDE requests to an already running program, but prevent DDE requests that require another executable program to be launched.
- AllowDDE(DWORD) = 2: To fully allow DDE requests.
My interpretation and I assume any reasonably educated person capable of reading Microsoft’s version of English would interpret that statement to say that the AllowDDE(DWORD) =0 is already there and if you want to allow DDE for any reason, you should change the dword. However over recent months & years the standard of Microsoft documentation has declined, mistakes, error and typos are extremely common so make your own minds up what the update does and whether the registry entries are needed or not in a default state to block DDE auto link updating
Once you set Word not to “update automatic links at open” then you should no longer get the alert messages shown in Brad’s ISC post like this one. There is then no physical way that a recipient can click yes, to allow the links to work and download anything. You are then totally safe from this exploit or what is in reality a misuse of a legitimate Word feature.
One of the emails looks like:
From: eBay <firstname.lastname@example.org>
Date: 22 Dec 2017 10:36
Subject:Your invoice for eBay purchases (108132108731391#)
Please note that this is a system generated email. Please do not reply to this email. If you have questions, please click the following link or paste it in your browser.http://pages.ebay.com/help/basics/select-support.html eBay sent this message to (brian.).
Your registered name is included to show this message originated from eBay. Learn more.
Thank you for shopping on eBay! Your total amount due is USD $89.68. Download and pay your invoice 108132108731391.
Email reference id: [#6f8c98edbca3f86a4c2fe5eca82b2db5#]
Learn More to protect yourself from spoof (fake) emails.
eBay sent this email to you at email@example.com about your account registered on www.ebay.com.
eBay will periodically send you required emails about the site and your transactions. Visit our Privacy Notice and User Agreement if you have any questions.
Copyright © 2015 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc. eBay International AG is located at Helvetiastrasse 15/17 – P.O. Box 133, 3000 Bern 6,Switzerland.
All the alleged senders, amounts, reference numbers, Bank codes, companies, names of employees, employee positions, email addresses and phone numbers mentioned in the emails are all random. Some of these companies will exist and some won’t. Don’t try to respond by phone or email, all you will do is end up with an innocent person or company who have had their details spoofed and picked at random from a long list that the bad guys have previously found. The bad guys choose companies, Government departments and organisations with subjects that are designed to entice you or alarm you into blindly opening the attachment or clicking the link in the email to see what is happening.
Please read our How to protect yourselves page for simple, sensible advice on how to avoid being infected by this sort of socially engineered malware.
Be very careful with email attachments or following links in emails. All of these emails use Social engineering tricks to persuade you to open the attachments or follow the links in the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day.
The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family love to send us pictures of them doing silly things, or even cute pictures of the children or pets.
Never just blindly click on the file in your email program. Always save the file to your downloads folder, so you can check it first. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately windows by default hides the file extensions so you need to Set your folder options to “show known file types. Then when you unzip the zip file that is supposed to contain the pictures of “Sally’s dog catching a ball” or a report in word document format that work has supposedly sent you to finish working on at the weekend, or an invoice or order confirmation from some company, you can easily see if it is a picture or document & not a malicious program.
If you see .JS or .EXE or .COM or .PIF or .SCR or .HTA .vbs, .wsf , .jse .jar at the end of the file name DO NOT click on it or try to open it, it will infect you.
While the malicious program is inside the zip file, it cannot harm you or automatically run. When it is just sitting unzipped in your downloads folder it won’t infect you, provided you don’t click it to run it. Just delete the zip and any extracted file and everything will be OK. You can always run a scan with your antivirus to be sure. There are some zip files that can be configured by the bad guys to automatically run the malware file when you double click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to folder ( after saving the zip to a folder on the computer) that risk is virtually eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected. The best way is to just delete the unexpected zip and not risk any infection.