Written By Josh Harriman And Presented By Charles Leaver
An interesting multifaceted attack has actually been reported in a current blog by Cisco’s Talos Intelligence team. I wished to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has actually promised not to fix, as it is a function and not a bug. Reports are becoming available about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog from SecureData.
Unique Phishing Attack with Microsoft Word
Attackers continuously look for brand-new ways to breach a company. Phishing attacks are among the most common as opponents are counting on the fact that someone will either open a file sent to them or go to a ‘faked’ URL. From there an exploit on a susceptible piece of software typically gives them access to start their attack.
However in this case, the documents didn’t have a destructive item embedded in the Word doc, which is a preferred attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to recover the genuine destructive files. In this manner they might hope or rely on a much better success rate of infection as harmful Word files themselves can be scanned and erased before reaching the recipient.
Searching for Suspicious Behaviors with Ziften Zenith
Here at Ziften, we wanted to be able to inform on this behavior for our clients. Finding conditions that display ‘unusual’ behavior such as Microsoft Word generating a shell is interesting and not expected. Taking it a bit further and searching for PowerShell running from that spawned shell and it gets ‘very’ intriguing. By using our Search API, we can discover these habits no matter when they occurred. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that exhibited these behaviors, we can discover that system. Ziften is always gathering and sending relevant process info which is why we can discover the data without counting on the system state at the time of browsing.
In our Zenith console, I looked for this condition by trying to find the following:
Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process commandline includes powershell
This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. After this we can drill down to see the important details.
In this very first screenshot, we can see information around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can observe information such as the System name and User, plus start time.
Below in the next image, we look at the CMD process and get information regarding what was passed to Powershell.
More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell used Powershell to head out and obtain some code that was hosted on the Louisiana Gov site. In the Powershell image shown below we can see more information such as Network Link info when it was reaching out to the site to pull the fonts.txt file.
That IP address (126.96.36.199) is in fact the Louisiana Gov site. Often we see interesting data within our Network Connect information that may not match exactly what you expect.
After developing our Saved Search, we can inform on these conditions as they occur throughout the environment. We can likewise develop extensions that change a GPO policy to not permit DDE and even take further action and go and discover these documents and eliminate them from the system if so desired. Having the ability to discover intriguing mixes of conditions within an environment is extremely powerful and we are delighted to have this feature in our offering.