APT28 Using DDE Vulnerability to Distribute Seduploader

Ongoing activity by APT26 (Fancy Bear) indicates they are exploiting the Dynamic Data Exchange (DDE) vulnerability in Microsoft Office to install the Seduploader malware.

Threat ID:: CC-1778
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Email spam, Phishing
Published:: 14 November 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Ongoing activity by APT26 (Fancy Bear) indicates they are exploiting the Dynamic Data Exchange (DDE) vulnerability in Microsoft Office to install the Seduploader malware.

Affected platforms

The following platforms are known to be affected:

Microsoft Outlook

Microsoft Outlook on Microsoft Windows -All Versions

Threat details

The attack uses seemingly authentic phishing emails specifically targeted at the recipient, in this case related to the New York terrorist attack in October (IsisAttackInNewYork.doc). Once a user opens the blank document DDE prompts the command line to run PowerShell, which then executes two commands to communicate with a Command & Control (C2) server and download the first stage of Seduploader.

Seduploader is capable of exfiltrating data, executing code, downloading code and taking screenshots. Attackers may use this information to plan further attacks.

Threat updates

Date	Update
19 Dec 2017	As of 15 December 2017, Microsoft have released an office update to disable DDE protocol in Microsoft Word applications as part of December’s Patch Tuesday.

Remediation steps

Type	Step
	Consider disabling DDE. DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used. Ensure that users are taking the time to check dialogue boxes before clicking 'Yes'. Users and administrators are encouraged to review Microsoft Security Advisory 4053440

Type

Step

Consider disabling DDE.
DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used.
Ensure that users are taking the time to check dialogue boxes before clicking 'Yes'.
Users and administrators are encouraged to review Microsoft Security Advisory 4053440

Last edited: 17 February 2020 11:27 am