APT Group Abuse Microsoft Word Dynamic Data Exchange - Macro-less Code Execution

This attack exploits the functionality of the Dynamic Data Exchange feature in Microsoft Word.

DDE is an inbuilt Windows feature designed to allow applications to transfer data between them. Microsoft Word uses DDE inside their Fields, allowing an attacker to very easily add a custom field inside the document - using the DDEAUTO keyword. This results in a custom command being executed as the document is opened.

A recent FIN7 campaign started with a phishing email designed to appear as though it originated from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis and Retrieval (EDGAR) system with attachments that exploit DDE within Microsoft Word. The DDE command used in the attack used PowerShell to call out to a compromised .GOV server hosting a malicious payload.

Following an initial compromise a complicated multi-stage infection process ensues which results in persistence on the target system. Once achieved another highly obfuscated stage performs a number of DNS queries to a random selection from an array of available servers. The responses are received and decoded to form the next payload using the DNS protocol. The infection results in the target joining a botnet that uses a slightly different structure of DNS records to send and receive messages with the C&C server.

The impact of a successful attack could result in a complete and undetected compromise of a target within an organization that could result in further compromise and exfiltration of sensitive data.