Hiding malicious code within a macro is a malware technique well-known among attackers and defenders, and even end-users have heard the message that they need to take care when opening documents from unknown sources that contain macros. Many enterprises implement a blocking policy for macros or strip VBA code found in email attachments. What is less known, however, is that attackers can embed code without the need to use a macro. In such cases, a malicious document would be able to bypass traditional defenses.
What is the DDE Exploit?
Microsoft’s Dynamic Data Exchange (DDE) is a protocol designed to allow the transportation of data between MS Office applications. It was introduced as early as Windows 2.0 back in 1987 and provides what Microsoft once considered core functionality to the Office suite of tools:
“Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.”
While that is certainly a benefit for legitimate users and uses of the protocol, the unfortunate side-effect of DDE is that it provides an avenue for attackers to exploit. DDE allows the execution of embedded code once a victim opens such a file, without the authorization request associated with macros. Although DDE has now been superseded by the Object Linking and Embedding (OLE) toolkit, DDE is still supported by Office applications for backwards-compatibility.
How Easy is it to Use Microsoft Office DDE to Trigger Code?
As shown by Etienne Stalmans and Saif El-Sherei, it’s extremely easy. Here is a simple demonstration that embeds an MS Word document with DDE code:
- Insert tab -> Quick Parts -> Field
- In the pop-up, ensure “= (Formula)” is selected and click “OK.”
- The Field Code should now be displayed; change it to contain the following:
{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe" }
- Save the document.
Once the document is opened, the code immediately executes the calc.exe.
DDE Extends to Excel and other Office Applications
In December 2017, Microsoft released an update which disables DDE in recent versions of MS Word by default, but this does not solve the problem. First, not all supported versions of MS Word received the update. Second, users can re-enable DDE if they wish. Since many enterprises still rely on legacy code and legacy applications, there remains a significant chance that an attacker may still be able to exploit the availability of DDE in MS Word. Moreover, DDE remains enabled by default in both Excel and Outlook. A step-by-step guide on how to exploit DDE in both of those, as well as in contacts and even calendar invites, was provided by PentestLab in January 2018.
How Attackers May Use this Technique
Since discovery, several tools have implemented ways to exploit the DDE vulnerability. For example:
- Metasploit Framework has a module which can be used to deliver attacks via DDE.
exploit/windows/fileformat/office_dde_delivery
msf > use exploit/windows/fileformat/office_dde_delivery
msf exploit(office_dde_delivery) > show targets
...targets...
msf exploit(office_dde_delivery) > set TARGET
msf exploit(office_dde_delivery) > show options
...show and set options...
msf exploit(office_dde_delivery) > exploit - Empire provides a stager which can generate Word documents with embedded DDE payloads.
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info
(Empire: listeners/http) > execute
[*] Starting listener 'http'
[+] Listener successfully started!
One of the barriers attackers face with exploiting DDE is that the code will trigger popup alerts, prompting the user to take action. However, attackers can employ social engineering techniques that give the impression that approval is the only way the user can view the document:
Was it Ever Seen in the Wild?
There have been many cases of this technique being used in the wild, two of particular note being:
- Necurs Botnet used it to distribute Locky ransomware and TrickBot banking trojan
- Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal)
How is SentinelOne Addressing It?
SentinelOne implements several detection layers on the agent side and consequently does not need to rely on connectivity to prevent the execution of malicious DDE code. The demo video below shows how the agent detects the attempt and is capable of rolling back the device to its pre-infected state. The video shows what happens when a Detect-only policy is in force. However, in a real-life scenario, users would typically use a Protect policy that would prevent the execution of any code, making remediation unnecessary.