How We Blocked a Word DDE Attack from APT28

Hacker Code

By the OPSWAT Data Sanitization Team

Last week, the APT28 threat group (also known as "Fancy Bear") was discovered to be using the Dynamic Data Exchange (DDE) attack method that we described in our recent blog post, "Data Sanitization Prevents Macro-Less MS Word Attacks." McAfee made the discovery.

The malicious Microsoft Word documents from APT28 use DDE to connect to PowerShell. PowerShell then contacts a URL in order to download the malware Seduploader.

The document itself does not appear to have any content when opened.

On November 16, we discovered a sample of one of these files in our database.

Once we processed the file with data sanitization (CDR), the DDE exploit was removed.

When we opened the original file, we saw this popup as a result of Word attempting to execute the DDE code (see our previous blog post for a detailed description of how a DDE attack works):

Microsoft Word DDE Exploit Popup - Do you want to start the application

Click image to expand

After data sanitization, the popup did not appear. The DDE code had been removed, and thus the Word document did not try to access PowerShell.

This is a live, in-the-wild example of an attack in use by an active threat group, and the fact that data sanitization successfully removed the threat was a confirmation of how important it is for combating document malware attacks.

VBA-based document malware attacks are still common, but attackers will continue to use any other file-borne malware methods they can find as well. DDE is especially dangerous because files with DDE can slip through most security defenses unnoticed.

Further data about this sample is below:

  • File name: IsisAttackinNewYork.docx
  • File type: DOCX
  • SHA256: 9AE72114B4CD0B293DEE6C5EDDA7EF5E4D57A3AEDAD9C71C0E9DE659D000E045

h/t McAfee