An interesting multifaceted attack has been reported in a recent blog by Cisco’s Talos Intelligence team. I wanted to talk about the infection vector of this attack as it’s quite interesting and something that Microsoft has vowed not to fix, as it is a feature and not a bug. Reports are coming in about attacks in the wild which are utilizing a feature in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is accomplished are reported in this blog from SecureData.
Unique Phishing Attack with Microsoft Word
Attackers constantly look for new ways to breach an organization. Phishing attacks are one of the most common as attackers are banking on the fact that someone will either open a document sent to them or go to a ‘faked’ URL. From there an exploit on a vulnerable piece of software usually gives them access to start their attack. But in this case, the documents didn’t have a malicious object embedded in the Word doc, which is a favorite attack vector, but rather a sneaky way of utilizing this feature that allows the Word program to connect out to retrieve the real malicious files. This way they could hope or count on a better success rate of infection as malicious Word files themselves can be scanned and deleted before getting to the recipient.
Hunting for Suspicious Behaviors with Ziften Zenith
Here at Ziften, we wanted to be able to alert on this behavior for our customers. Finding conditions that exhibit ‘strange’ behavior such as Microsoft Word spawning a shell is interesting and not expected. Taking it a bit further and looking for PowerShell running from that spawned shell and it gets ‘very’ interesting. Through our Search API, we can find these behaviors no matter when they happened. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that exhibited these behaviors, we can find that system. Ziften is always collecting and sending relevant process information which is why we can find the data without relying on the system state at the time of searching.
In our Zenith console, I searched for this condition by looking for the following:
Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline contains powershell
This returns the PIDs (Process ID) of the processes we saw startup with these conditions. From there we can drill down to see the nitty gritty details.
Figure 1: Screenshot of process tree showing Word opening a document from the Desktop
In this first screenshot, we can see details around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can see details such as the System name and User, plus start time.
Below in the next screenshot, we look at the CMD process and get details as to what was passed to Powershell.
Figure 2: CMD process command line parameters
Most likely when the user had to answer this Microsoft Word pop-up dialog box, that is when the CMD shell used Powershell to go out and get some code that was hosted on the Louisiana Gov website. In the Powershell screen shot below we can see more details such as Network Connect information when it was reaching out to the website to pull the fonts.txt file.
Figure 3: Powershell command line parameters and Network Connect information showing the target IP address
That IP address (220.127.116.11) is in fact the Louisiana Gov website. Sometimes we see interesting data within our Network Connect information that might not match what you expect.
After creating our Saved Search, we can alert on these conditions as they happen throughout the environment. We can also create extensions that change a GPO policy to not allow DDE or even take further action and go and find these documents and remove them from the system if so desired. Having the ability to find interesting combinations of conditions within an environment is very powerful and we are delighted to have this feature in our product.