Written By Josh Harriman And Presented By Charles Leaver
An intriguing multifaceted attack has been reported in a recent blog by Cisco’s Talos Intelligence group. I wanted to discuss the infection vector of this attack as it’s quite fascinating and something that Microsoft has promised not to fix, as it is a function and not a bug. Reports are coming in about attacks in the wild which are making use of a function in Microsoft Word, called Dynamic Data Exchange (DDE). Details to how this is accomplished are reported in this blog from SecureData.
Special Phishing Attack with Microsoft Word
Attackers constantly search for brand-new methods to breach an organization. Phishing attacks are among the most typical as opponents are counting on that someone will either open a file sent to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of software normally provides access to begin their attack.
But in this case, the files didn’t have a destructive item embedded in the Word doc, which is a favorite attack vector, but rather a sly way of utilizing this function that enables the Word program to connect out to obtain the real destructive files. This way they might hope or rely on a better success rate of infection as harmful Word files themselves can be scanned and deleted prior to reaching the recipient.
Searching for Suspicious Behaviors with Ziften Zenith
Here at Ziften, we wished to have the ability to alert on this behavior for our clients. Finding conditions that exhibit ‘strange’ behavior such as Microsoft Word generating a shell is fascinating and not expected. Taking it a bit further and trying to find PowerShell operating from that generated shell and it gets ‘extremely’ intriguing. By using our Search API, we can find these habits no matter when they took place. We do not need the system to be on at the time of the search, if they have run a program (in this case Word) that displayed these behaviors, we can discover that system. Ziften is always collecting and sending pertinent procedure details which is why we can find the data without counting on the system state at the time of browsing.
In our Zenith console, I looked for this condition by trying to find the following:
Process → Filepath contains word.exe, Child Process Filepath contains cmd.exe, Child Process command line contains powershell
This returns the PIDs (Process ID) of the procedures we saw start-up with these conditions. From there we can drill down to see the critical information.
In this very first screenshot, we can see information around the procedure tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can see information like the System name and User, plus start time.
Listed below in the next image, we look at the CMD procedure and get details regarding exactly what was passed to Powershell.
More than likely when the user had to address this Microsoft Word pop up dialog box, that is when the CMD shell utilized Powershell to head out and get some code that was hosted on the Louisiana Gov site. In the Powershell screenshot below we can see more information such as Network Connect details when it was reaching out to the website to pull the fonts.txt file.
That IP address (220.127.116.11) is in truth the Louisiana Gov site. Sometimes we see interesting data within our Network Connect details that may not match exactly what you anticipate.
After developing our Saved Search, we can inform on these conditions as they happen throughout the environment. We can also create extensions that change a GPO policy to not enable DDE or even take more action and go and find these files and remove them from the system if so preferred. Having the ability to discover intriguing mixes of conditions within an environment is very effective and we are very proud to have this feature in our product.