DDE Attack

Introduction

Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16.  Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft's Dynamic Data Exchange (DDE) technique.  According to BleepingComputer, attacks using this technique have existed since the early 90s, but DDE has gained notoriety in the past few weeks due to a series of recent reports.  (Use a search engine for "DDE attack" or "DDE exploit" to find some results).

Ultimately, these DDE attacks are somewhat less effective than malicious macros, and Microsoft maintains DDE functionality is not a vulnerability.  Victims must click through several warnings to get infected from these documents.  Otherwise, little has changed for infection characteristics noted in my previous diary covering Hancitor malspam last month.  Today's diary examines a wave of Hancitor malspam from Monday, 2017-10-16.

The emails

Monday's wave used a DocuSign template we've seen before from Hanictor malspam.  Several people on Twitter also saw Monday's malspam, including @cheapbyte, @GossiTheDog, @James_inthe_box, @noottrak, and @Ring0x0.  Links from the emails went to newly-registered domains that returned a malicious Word document.


Shown above:  An example of the malspam.

The Word document

I tried a link from the emails in Windows 10 running Office365.  As usual, people must ignore various warnings to kick off an infection.  First, because the Word document was downloaded from the Internet, I had to enable editing to escape Protected View.  Then, I had to click through three dialogue windows to infect my Windows host.


Shown above:  Following a link from one of the emails.


Shown above:  Escaping Protected View by enabling editing.


Shown above:  1st dialogue box (1 of 3).


Shown above:  2nd dialogue box (2 of 3).


Shown above:  3rd dialogue box (3 of 3).

The traffic

Traffic remains the same as last time, except we find an HTTP GET request for a Hancitor (or a Hancitor-related) executable after the document is downloaded.  Previously, this initial malware was part of the malicious document macro.  However, with this DDE attack, the initial executable is downloaded separately.


Shown above:  Traffic from an infection filtered in Wireshark.

Indicators of compromise (IOCs)

Emails collected:

Links from the malspam:

Traffic noted during while infecting hosts in my lab:

Artifacts from an infected host:

SHA256 hash: f945105f5a0bc8ea0d62a28ee62883ffc14377b6abec2d0841e88935fd8902d3

SHA256 hash:  a647d12d6298c8aef225d77f1e2b605ae78fadd7360ab0c48363d2e461612150

SHA256 hash:  8f94cee61a76c7b9612381978876dcd996c15ae8da50fd75d700a05df571d10a

SHA256 hash:  15e9493c4f50b672fe801108d31ac6660d1d5787e0c71964a935a893aab12032

Final words

As mentioned earlier, these DDE attacks are no more effective than malicious macro-based attacks.  Each requires victims to click through a series of warnings to get infected.  Furthermore, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers.  Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.

Traffic and malware samples for this diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net