View the Full VMRay Analyzer Report
Macros in Microsoft Office have been used extensively by malware authors as a mechanism to download and execute a malicious payload on a system. Defensive measures introduced by Microsoft such as disabling macros by default have not stopped malware authors as they continue to devise social engineering techniques to convince users to enable macros thereby allowing malware to perform malicious actions. However, with email gateways and other security products incorporating VBA filtering policies for MS Office documents, malware authors are using new techniques to deliver and execute malicious payloads in Microsoft Office applications.
One technique is the use of Dynamic Data Exchange (DDE) – a protocol that allows Windows applications to share data. In this blog post, we will take a closer look at a ransomware sample that uses DDE to execute an application directly from MS Word without any macros. This technique allows malware to easily bypass security systems or email gateways with macro filtering.
Microsoft defines DDE as a set of messages and guidelines that allows applications to share data. Microsoft documentation explains that applications can use the DDE protocol for one-time data transfers for applications to send updates to one another as new data becomes available.
Malware authors take advantage of this technique because it allows external applications to be specified as a DDE data source. Word will execute these applications to retrieve information. Adding an external data source can be done by inserting a Field, manually changing its Field Code to DDEAUTO and appending the application path as well as additional parameters (Figure 1)
Figure 1: Launching and executing an external application using DDE
Depending on the security settings in Word, one of two warnings will be displayed whenever DDE commands are executed in a Word document (Figures 2 and 3).
Figure 2: Typical warning message associated with DDE commands (1/2)
Figure 3: Typical warning message associated with DDE commands (2/2)
Please note that while the second warning message (Figure 3) may raise suspicion, it is easy for a malware author to change the real path to the executable in the message to make it seem innocuous.
The ransomware sample that we analyzed is embedded with the DDEAUTO command. The command is automatically executed by Word when the document is opened. It provides the full path of the executable as well as the arguments that need to be passed.
In this case, the sample executes mshta.exe with an external URL as shown in Figure 4.
Figure 4: DDEAUTO command in the Word document to launch an executable
The path of the mshta executable is specified in this way because it tricks Word into thinking that MSword.exe is the target application as shown in Figure 5.
Figure 5: Word Document thinking MSword.exe is the target application
The first action performed by the ransomware is to establish a connection with the C&C server and share the victim’s IP address and other information. This is highlighted in the behavior section of the VMRay Analyzer analysis report (Figure 6)
Figure 6: VMRay Analysis Report: Ransomware shares user information including IP address with C&C server
The second request to the C&C server returns data that is saved in .bat file which is later executed by the malware (Figures 7 and 8).
Figure 7: VMRay Analyzer log files and report: C&C server returns .bat file which is executed by the malware
Figure 8: Execution of .bat file by the ransomware sample
The next action is to download the encryption key from the C&C server (Figure 9). This key will subsequently be used in an encryption routine that encrypts all the files on the user’s system. The sample reads each file on the system, creates a new one (ending with .aes), writes the encrypted version of the file and finally deletes the original file (Figure 10).
Figure 9: VMRay Analyzer Report: Encryption key downloaded from the C&C server
Figure 10: VMRay Analyzer Report: File Encryption performed by the ransomware sample
Finally, the ransomware sample creates a “How to recover your files” text file in every directory of the user’s system (Figure 11).
Figure 11: ‘How to recover your data’ text file created by the ransomware
While AV vendors have been slow to detect this new technique (Figure 12), VMRay’s agentless hypervisor-based dynamic analysis engine scored the file 100/100 with a severity label of ‘Malicious’. Several malicious behavior patterns are detected (Figure 13) and the detailed behavior of the sample (including the network activity) is also recorded in the Behavior section of the report.
Figure 12: AV engines have been slow to detect the DDE technique used by malware authors
Figure 13: High-Level VMRay Analysis results for the DDE ransomware sample
An important point to note is that Sensepost reported the vulnerability to Microsoft back in August 2017. Microsoft responded that no further action will be taken, and it will be considered for a next-version candidate bug.
View the full VMRay Analyzer Report for DDE Ransomware