DDE Attack
Introduction
Malicious spam (malspam) pushing Hancitor malware (also known as Chanitor or Tordal) changed tactics on Monday 2017-10-16. Instead of pushing Microsoft Word documents with malicious macros, this malspam began pushing Word documents taking advantage of Microsoft's Dynamic Data Exchange (DDE) technique. According to BleepingComputer, attacks using this technique have existed since the early 90s, but DDE has gained notoriety in the past few weeks due to a series of recent reports. (Use a search engine for "DDE attack" or "DDE exploit" to find some results).
Ultimately, these DDE attacks are somewhat less effective than malicious macros, and Microsoft maintains DDE functionality is not a vulnerability. Victims must click through several warnings to get infected from these documents. Otherwise, little has changed for infection characteristics noted in my previous diary covering Hancitor malspam last month. Today's diary examines a wave of Hancitor malspam from Monday, 2017-10-16.
The emails
Monday's wave used a DocuSign template we've seen before from Hanictor malspam. Several people on Twitter also saw Monday's malspam, including @cheapbyte, @GossiTheDog, @James_inthe_box, @noottrak, and @Ring0x0. Links from the emails went to newly-registered domains that returned a malicious Word document.
Shown above: An example of the malspam.
The Word document
I tried a link from the emails in Windows 10 running Office365. As usual, people must ignore various warnings to kick off an infection. First, because the Word document was downloaded from the Internet, I had to enable editing to escape Protected View. Then, I had to click through three dialogue windows to infect my Windows host.
Shown above: Following a link from one of the emails.
Shown above: Escaping Protected View by enabling editing.
Shown above: 1st dialogue box (1 of 3).
Shown above: 2nd dialogue box (2 of 3).
Shown above: 3rd dialogue box (3 of 3).
The traffic
Traffic remains the same as last time, except we find an HTTP GET request for a Hancitor (or a Hancitor-related) executable after the document is downloaded. Previously, this initial malware was part of the malicious document macro. However, with this DDE attack, the initial executable is downloaded separately.
Shown above: Traffic from an infection filtered in Wireshark.
Indicators of compromise (IOCs)
Emails collected:
Date/Time: Monday 2017-10-16 as early as 14:50 UTC thru at least 16:11 UTC
Subject: Your document Receipt [random 5-digit number] for [recipient's name] is ready for signature!
Sending email address (spoofed): "Benjamin Garcia via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Carrie Robinson via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Carrie Stanley via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Mary Garcia via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Monique Clark via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Monique Wilson via DocuSign" <dse@longconsult.com>
Sending email address (spoofed): "Saul Walker via DocuSign" <dse@longconsult.com>
Received: from longconsult.com ([45.49.169.80])
Received: from longconsult.com ([68.98.214.133])
Received: from longconsult.com ([68.188.99.59])
Received: from longconsult.com ([173.209.154.162])
Received: from longconsult.com ([205.144.215.157])
Received: from longconsult.com ([208.181.214.155])
Links from the malspam:
bridlewoodpark[.]ca
celebration-living[.]ca
celebration-living[.]com
cloudninecondos[.]com
condoallure[.]com
donmillstowns[.]ca
me2condominium[.]com
me2condominiums[.]com
thelashgroup[.]ca
tier1mc[.]com
westkanresidential[.]ca
westkanresidential[.]com
woodstockliving[.]ca
y2mediagroup[.]ca
y2mediagroup[.]com
Traffic noted during while infecting hosts in my lab:
34.213.214.65 port 80 - frontiertherapycenter[.]com - GET /16.exe
185.82.217.224 port 80 - frontiertherapycenter[.]com - GET /16.exe
185.124.188.82 port 80 - aningrolcoligh[.]ru - POST /ls5/forum.php
91.215.169.131 port 80 - tontoftguthat[.]com - POST /ls5/forum.php
91.215.169.131 port 80 - tontoftguthat[.]com - POST /mlu/forum.php
91.215.169.131 port 80 - tontoftguthat[.]com - POST /d2/about.php
27.121.64.185 port 80 - leicam[.]com[.]au - GET /1
23.228.100.130 port 80 - www.stressbenders[.]com - GET /1
23.228.100.130 port 80 - www.stressbenders[.]com - GET /2
23.228.100.130 port 80 - www.stressbenders[.]com - GET /3
185.147.82.80 port 80 - davenyhes[.]com - POST /bdl/gate.php
api.ipify.org - GET / (location check by the infected host)
checkip.dyndns.org - GET / (location check by the infected host)
Various IP addresses, various ports - Tor traffic
10.0.2.2 port 443 - TCP SYN packet sent every 5 minutes
Artifacts from an infected host:
SHA256 hash: f945105f5a0bc8ea0d62a28ee62883ffc14377b6abec2d0841e88935fd8902d3
File name: receipt_[6 random digits].doc
File description: Word document using DDE attack technique
SHA256 hash: a647d12d6298c8aef225d77f1e2b605ae78fadd7360ab0c48363d2e461612150
File location: C:\Users\[username]\AppData\Local\Temp\tvs.exe
File description: Hancitor or Hancitor-related executable
SHA256 hash: 8f94cee61a76c7b9612381978876dcd996c15ae8da50fd75d700a05df571d10a
File location: C:\Users\[username]\AppData\Local\Temp\tvs.exe
File description: Hancitor or Hancitor-related executable seen later on another infected host
SHA256 hash: 15e9493c4f50b672fe801108d31ac6660d1d5787e0c71964a935a893aab12032
File location: C:\Users\[username]\AppData\Local\Temp\BN5A30.tmp
File location: C:\Users\[username]\AppData\Roaming\Yhaba\ehyl.exe
File description: DELoader/ZLoader
Final words
As mentioned earlier, these DDE attacks are no more effective than malicious macro-based attacks. Each requires victims to click through a series of warnings to get infected. Furthermore, it's relatively easy for system administrators (and the technically inclined) to follow best security practices on their Windows computers. Using Software Restriction Policies (SRP) or AppLocker can easily prevent these types of malspam-based infections from occurring.
Traffic and malware samples for this diary can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net