This article explains how the Threat Signature applies automatically on Dynamic Data Exchange. It is intended for Administrators.
Threat Overview
Automatic Dynamic Data Exchange (DDEAUTO) is a native command feature of Microsoft Office documents that’s used to pull data out of another file. DDEAUTO has previously undocumented functionality, whereby it can start any application already installed on a computer from another file.
This vulnerability has been actively exploited by threat actors to embed malware, in the form of a PowerShell or other script, in the data of a Word or Excel file. Simply opening the document executes malicious code, without needing the victim to download a file or enable Word macros.
Depending on the particular campaign, the executable code contained within these files can act as a trojan, deploy ransomware, or create backdoor access to the compromised system.
Mimecast Detection
Mimecast performs a deep inspection of DOC and DOCX files used by Microsoft Office, and detects DDEAUTO fields, in conjunction with malicious commands, using our unique signature MC-Doc.DDE-4.
Example :
| Threat Type | Targeted Platforms | Signature Created |
|---|---|---|
| Malicious Documents | Windows, Microsoft Office | 17 Oct 2019, 15:48 (GMT) |
Indicators of Compromise
An example hash function of files (SHA-256) used to deploy malware:
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
Comments
Please sign in to leave a comment.