All About HackingBlackhat Hacking ToolsFree CoursesHacking

Microsoft Office Dynamic Data Exchange(DDE) attacks 2023

In this article we will learn about Microsoft Office Dynamic Data Exchange.

Microsoft Office programs are widely abused by malware authors by inserting links, objects and other useful data. Its effects often depend on how the user will work with the documents. Usually, embedded payloads are executed when the user enables macros, but this is not the only way to infect users. There are other methods that can infect with minimal interaction. In this article, we will look at one such technique that uses the Dynamic Data Exchange (DDE) protocol.

Before we look at the exploits, we need to expose the DDE protocol a little further.

Windows uses several methods of transferring data between applications, including the DDE protocol. The DDE protocol is based on a messaging architecture and sends messages between applications using shared memory to exchange data between applications. Applications that run an application act as DDE clients, and applications that respond act as a DDE server.

Now researchers at Sensepost have found that the DDE protocol can be used in MS Word with very minimal user interaction. According to their research, MS Word uses DDE in fields. Fields are an important part of MS Word and are used to manipulate dynamic content in an MS Word document.

In the section below, we see how DDE can be used in MS Word.

Also read:Mobile Money Remains Largely Confined to Developing Markets 2023

Microsoft Office Dynamic Data Exchange

  • I created a new document and put some text in it. Now we should insert the field.
    Click Insert > Quick Parts > Fields
  • The dialog box below will appear:
    Select Field Names > ={Formula} and then click OK.
    Inserts a field with the text “!Unexpected end of formula” like below

Right click on the field and click on Toggle Field Codes as shown below

  1. After clicking the Toggle Field Codes, the field will change like below
  2. Now edit the text within {} to execute a command with DDEAUTO like below
  3. This will tell Word to execute open cmd.exe automatically and create a persistent (/k switch) ‘cmd.exe’ process. Now save the document as .docx and then again open the document.
  4. Since there is an embedded object, it asks the user to consent to whether they want the document to be updated from linked files or not because ultimately that is the whole purpose of the fields is to update the contents dynamically from linked files. If the user clicks ‘yes,’ then the attack proceeds, whereas if the user clicks No the attack is stopped right at this point.
  1. If the user clicks ‘Yes’ in the above dialog, then the user is presented with below dialog box which says whether they want to start the application cmd.exe. This is an effect of DDEAUTO command. Again, if the user clicks Yes then the attack proceeds whereas if the user clicks No then again, the attack is stopped at this point.
  2. If the user clicked ‘Yes’ then the below prompt appears. By this time, in this case, cmd.exe has already launched another instance of cmd.exe. In real-world exploit scenario, by this time, the user is already infected.
  3. Execution of cmd.exe from MS Word

Researchers have also found that DDE is not only effective in MS-Word but also works for MS-Excel and MS-Outlook. In Outlook, this can be exploited even via calendar invites.

Per the latest news, malicious authors have already started using this weakness to entice users to click on their documents. Researchers have found out that an active campaign is exploiting this vulnerability and distributing Hancitor malware. Hancitor is a malware that downloads several Bank Trojans, and other ransomware onto the infected machine. It was distributed by malware authors as a macro-enabled document via a phishing email. Not only this, SANS reported that malware authors have updated the logic of Necurs Botnet (which is used to distribute Locky Ransomware) to exploit the DDE vulnerability from the old-fashioned Macro enabled MS document.

Now since DDE is a legitimate Microsoft feature, most antivirus vendors will not flag it, and expectedly they have not released any patch for it yet. So below are the some of the ways in which user can protect themselves.

  1. Thumb rule is never to open or provide consent to any document originated from an unknown source.
  2. Turn off automatic update links opening


Leave a Reply

Your email address will not be published. Required fields are marked *