Since new form of cyber crimes are rising, traditional tactics seems to be shifting towards more stealthy techniques which involves the exploitation of standard computer tools and protocols that are not usually monitored by the cyber experts. Security investigators from a reputed research group have recently discovered one malicious attack campaign distributing malware-laden Microsoft Word documents which mainly performs code execution onto the targeted machine without needing Macros enabled or a memory corruption. Although, this macro-less code execution in the Microsoft Word technique, which is described by the pair of security analysts, this attack uses the advantage of a built-in feature of Microsoft Office, known as DDE (Dynamic Data Exchange) in order to perform the code execution.
Meanwhile, DDE protocol is considered as one of the various methods that Microsoft generally allows two running programs to share the same data. However, the protocol can be used by softwares for one-time data transfers or sharing and for continuous exchanges in which the applications send updates to one another because new data becomes available. Plenty of programs uses the Dynamic Data Exchange protocol, including Microsoft’s Word, Excel, Visual Basic and Quattro Pro. Although, the exploitation tactic that the security investigators described displays no ‘security’ alerts to the victims, except the one which asking them if they really want to execute the software specified in the command. According to the cyber security analysts, this pop-up alert message could also be terminated ‘with proper syntax modification’.
As described by the malware researchers, this tactic was found actively being exploited into the wild by the cyber offenders in order to target various organizations by using spam email messages. These spear phishing emails were spoofed by the hackers to make them look legitimate and appears to be arrived from the SEC (Securities and Exchange Commission). Thereafter, it convince the innocent system users into opening them immediately. Based on the blog post published by the security experts, the emails themselves contained a nasty MS Word attachment that when opened would quickly initiate a sophisticated multi-stage infection procedure leading to infection with dangerous DNSMessenger malware.
Earlier in March, the researchers have found threat actors spreading DNSMessenger which is a completely fileless RAT (Remote Access Trojan) that mainly uses DNS queries to conduct the nasty PowerShell commands over the compromised PCs. Once opened, the targeted system users would be then prompted with an alert informing them that the attached document contains links to few other external files, and asking them to deny or allow the content to be retrieved and then displayed. In case, if allowed the malicious attached MS Word document will communicate to the remote malware servers which hosted content to retrieve code that will be executed to start the DNSMessenger malware invasion. Hence, one of the best way to protect yourself from attack of such destructive viruses is always to be suspicious of any unfamiliar document arrived from an unknown email and never click on any document without verifying the sources.