MS Word Built-In Feature (DDE): Malware Execution and Attacks Demo

Author: Ameer Pornillos

The goal of this post is to inform and show that Dynamic Data Exchange (DDE) which is a built-in feature on Microsoft Office can be used to execute codes without macros (which means works even with macros disabled) – and in this case, using it for attacks and exploits.

It is worth noting that SensePost did provide detailed information regarding this macro-less code execution technique in MS Word and have already reported it to Microsoft (which Microsoft responded that it is a feature and no further action will be taken, and will be considered for a next-version candidate bug).

In addition to this, I’ll be showing additional ways of leveraging the MS Office built-in feature (DDE) for some possible attack vectors, including gaining “shells” as well as malware execution.

Regarding Dynamic Data Exchange (DDE), below is its description based on Microsoft MSDN:

Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

MS Word DDE Attack Demos

Below are some of the possible attack vectors that I’ve tried using MS Word DDE built-in feature.

Empire Shell Attack

Demo on using Microsoft Word built-in feature Dynamic Data Exchange (DDE) with PowerShell Empire payload.

File with the DDE payload was detected by: 9/35 different antivirus software

Metasploit Shell Attack

Demo on using Microsoft Word built-in feature Dynamic Data Exchange (DDE) with Metasploit payload.

File with the DDE payload was detected by: 8/35 different antivirus software

Ransomware Attack (used Satan Ransomware for demo purposes)

Demo on using Microsoft Word built-in feature Dynamic Data Exchange (DDE) for ransomware infection (used Satan Ransomware for this demo).

File with the DDE payload was detected by: 8/35 different antivirus software

More DDE Attack

While this post, as well as the demos above are based on using Microsoft Word. It is also possible to launch this kind of attack on Microsoft applications where DDE feature works like for example, MS Outlook. Below is a demo on using a DDE attack on Microsoft Outlook using Metasploit payload.

Defense for MS Word DDE Attacks

Since Microsoft already stated that the DDE is a feature and no further action will be taken, then this is actually good news for red teams. However, since the feature can be used maliciously then it is also important to know how to protect and defend against MS Word DDE attacks.

Below are some of the possible ways to help defend against this attack.

Inform users. While this attack might not go pass to someone specializing on information security, be aware that you could have users in your organization that can easily fall for this trick. It is important to instruct users to be always suspicious in case of receiving uninvited documents and never click on any of the links inside it, unless source has been verified. For this case of MS Word DDE attack, an attacker can actually modify its content which can potentially trick more users.

For example, I’ve added the content “can be accessed by clicking Yes below” on the dialog box (which I think will somehow help trick users on clicking the “Yes” button).

Detect and mitigate PowerShell attacks. Most of example attacks that were demoed above are using PowerShell in order to execute the exploits. Sean Metcalf (@Pyrotek3) of AdSecurity.org provided a really good information on defending the enterprise from PowerShell attacks.

Install Antivirus (AV) protection on machine. Having a good AV protection is really important, especially if you have users that are not really aware in terms of information security. AV provides added defense to help mitigate and stop malware related attacks and exploits.

Resources/References:

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword

https://twitter.com/SecuritySift/status/918563308541829120

https://adsecurity.org/wp-content/uploads/2016/05/BSidesCharm-2016-PowerShellSecurity-Defending-the-Enterprise-from-the-Latest-Attack-Platform-FINAL.pdf

https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx

Leave a Reply