Microsoft Office documents containing malicious macros are commonly used to spread malware and ransomware. However, security researchers have now identified Microsoft Office attacks without macros, and the technique is harder to block.
Microsoft Office Attacks Without Macros
While it is possible to disable macros so they do not run automatically, and even disable macros entirely, that will not protect you from this new attack method, which leverages a feature of MS Office called Dynamic Data Exchange or DDE, according to researchers at SensePost. This in-built feature of Windows allows two applications to share the same data, for example MS Word and MS Excel. DDE allows a one- time exchange of data between two applications or continuous sharing of data.
Cybercriminals can use this feature of MS Office to get a document to execute an application without the use of macros as part of a multi-stage attack on the victim. In contrast to macros which flash a security warning before being allowed to run, this attack method does not present the user with a security warning as such.
Opening the MS Office file will present the user with a message saying “This document contains links that may refer to other files. Do you want to open this document with the data from the linked files?” Users who regularly use files that use the DDE protocol may automatically click on yes.
A second dialog box is then displayed asking the user to confirm that they wish to execute the file specified in the command, but the researchers explain that it is possible to suppress that warning.
This technique has already been used by at least one group of hackers in spear phishing campaigns, with the emails and documents appearing to have been sent from the Securities and Exchange Commission (SEC). In this case, the hackers were using the technique to infect users with DNSMessenger fileless malware.
Unlike macros, disabling DDE is problematic. While it is possible to monitor for these types of attacks, the best defense is blocking the emails that deliver these malicious messages using a spam filter, and to train staff to be more security aware and to verify the source of the email before opening any attachments.
Locky Ransomware Updated Again (..and again)
If you have rules set to detect ransomware attacks by scanning for specific file extensions, you will need to update your rules with two new extensions to detect two new Locky ransomware variants. The authors of Locky ransomware have updated their code again, marking four new changes now in a little over a month.
In August and September, Locky was using the .lukitus and .diablo extensions. Then the authors switched to the .ykcol extension. In the past week, a further campaign has been detected using the .asasin extension.
The good news regarding the latter file extension, is it is being distributed in a spam email campaign that will not result in infection. An error was made adding the attachment. However, that is likely to be corrected soon.
The ykcol variant is being spread via spam email and uses fake invoices as the lure to get users to open the attachments. The documents contain a macro that launches a JavaScript or PowerShell downloader than installs and runs the Locky binary. The .asasin variant is being spread via emails that spoof RightSignature, and appear to have been sent from the documents[@]rightsignature.com email address. The emails claim the attached file has been completed and contains a digital signature.
The authors of Locky are constantly changing tactics. They use highly varied spam campaigns, a variety of social engineering techniques, and various attachments and malicious URLs to deliver their malicious payload.
For this reason, it is essential to implement a spam filtering solution to prevent these emails from being delivered to end users’ inboxes. You should also ensure you have multiple copies of backups stored in different locations, and be sure to test those backups to make sure file recovery is possible.
To find out more about how you can protect your networks from malicious email messages – those containing macros as well as non-macro attacks – contact the TitanHQ team today.