Written By Josh Harriman And Presented By Chuck Leaver
A fascinating multifaceted attack has actually been reported in a recent blog by Cisco’s Talos Intelligence group. I wanted to talk about the infection vector of this attack as it’s quite interesting and something that Microsoft has actually promised not to fix, as it is a feature and not a bug. Reports are can be found about attacks in the wild which are using a feature in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is achieved are reported in this blog post from SecureData.
Distinct Phishing Attack with Microsoft Word
Attackers constantly look for new ways to breach an organization. Phishing attacks are one of the most common as attackers are counting on the fact that someone will either open a file sent out to them or go to a ‘faked’ URL. From there an exploit on a vulnerable piece of code usually gives them access to begin their attack.
But in this case, the files didn’t have a malicious item embedded in the Word doc, which is a favorite attack vector, however rather a tricky way of utilizing this function that allows the Word program to link out to obtain the real malicious files. This way they could hope or count on a much better success rate of infection as harmful Word files themselves may be scanned and erased prior to getting to the recipient.
Searching for Suspicious Habits with Ziften Zenith
Here at Ziften, we wanted to be able to alert on this habit for our customers. Finding conditions that display ‘odd’ behavior such as Microsoft Word spawning a shell is intriguing and not expected. Taking it further on and looking for PowerShell operating from that generated shell and it gets ‘very’ fascinating. By using our Search API, we can discover these habits no matter when they happened. We do not require the system to be switched on at the time of the search, if they have actually run a program (in this case Word) that showed these habits, we can discover that system. Ziften is constantly collecting and sending out relevant procedure details which is why we can find the data without relying on the system state at the time of searching.
In our Zenith console, I looked for this condition by looking for the following:
Process → Filepath contains word.exe, Child Process Filepath includes cmd.exe, Child Process commandline contains powershell
This returns the PIDs (Process ID) of the processes we saw start-up with these conditions. From there we can drill down to see the critical information.
In this first screenshot, we can see information around the process tree (Word spawning CMD with Powershell under that) on the left, and to the right side you can observe details such as the System name and User, plus start time.
Listed below in the next image, we take a look at the CMD process and get details regarding what was passed to Powershell.
More than likely when the user needed to address this Microsoft Word pop up dialog box, that is when the CMD shell utilized Powershell to go out and get some code that was hosted on the Louisiana Gov site. In the Powershell screen shot below we can see more details such as Network Connect info when it was connecting to the site to pull the fonts.txt file.
That IP address (220.127.116.11) remains in fact the Louisiana Gov site. Sometimes we see interesting data within our Network Connect information that may not match exactly what you anticipate.
After producing our Saved Search, we can alert on these conditions as they happen throughout the environment. We can likewise produce extensions that alter a GPO policy to not allow DDE or even take more action and go and find these documents and eliminate them from the system if so desired. Having the ability to find fascinating combinations of conditions within an environment is very effective and we are delighted to have this function in our offering.