Scenario: Auto DDE - Fileless Malware

OVERVIEW: Dynamic Data Exchange is an old Microsoft technology that can be abused to execute code from within MS Office documents. It does not use macros so bypasses security warnings.

BUSINESS PROBLEM: Employees may receive a file that includes DDE field codes, without their knowledge.

THREAT: Usage of the feature does not require a macro and will not show the user a security warning. The only indication for a user is a popup from the Office document requesting to auto update links. The payload is automated once the popup is accepted.

SAMPLE 1:

Sample CV in Word Doc (Auto DDE redirects to website)

TEST USING GX PLATFORM:


UPDATE

  • Microsoft updated Office to disable AutoDDE by default
  • If the update is applied to the test PC then it will be necessary to re-enable the feature to complete the test
  • Also - most Anti Virus products are now updated to blacklist any file containing AutoDDE


    • With CTR DISABLED
    (i.e. the ICAP profile is disabled on the Web Proxy / or the browser is set to bypass)

  • Download the file to your local drive
  • Open the file in Word - it will prompt you to update links from another document
  • When accepted, your browser will launch - it should connect to an external website (BBC in this example)


    • With CTR ENABLED

  • Download the file
  • Open the Word file
  • Examine the small text - this is the AutoDDE function - you can no longer toggle the code!

    • OUTCOME
  • Deep Secure assume all data is hostile - regardless
  • The Word file is subject to Content Transforms
  • The field code does not transform and only the (harmless) business information remains
  • This means the business information is carried through to the user rather than the whole file being quarantined by Anti Virus