Written By Josh Harriman And Presented By Chuck Leaver
An interesting multifaceted attack has actually been reported in a current blog post by Cisco’s Talos Intelligence group. I wished to talk about the infection vector of this attack as it’s rather fascinating and something that Microsoft has actually vowed not to repair, as it is a feature and not a bug. Reports are becoming available about attacks in the wild which are using a function in Microsoft Word, called Dynamic Data Exchange (DDE). Information to how this is accomplished are reported in this blog post from SecureData.
Special Phishing Attack with Microsoft Word
Attackers constantly look for brand-new ways to breach an organization. Phishing attacks are one of the most common as assailants are banking on the fact that somebody will either open a file sent out to them or go to a ‘fabricated’ URL. From there an exploit on a vulnerable piece of code usually gives them access to begin their attack.
However in this case, the documents didn’t have a destructive item embedded in the Word doc, which is a preferred attack vector, but rather a tricky method of using this feature that enables the Word program to link out to obtain the genuine harmful files. This way they could hope or depend on a much better success rate of infection as harmful Word files themselves may be scanned and erased before reaching the recipient.
Searching for Suspicious Habits with Ziften Zenith
Here at Ziften, we wished to have the ability to alert on this behavior for our clients. Finding conditions that show ‘unusual’ behavior such as Microsoft Word spawning a shell is interesting and not expected. Taking it a bit further and searching for PowerShell running from that generated shell and it gets ‘very’ intriguing. Through our Search API, we can discover these behaviors no matter when they took place. We do not need the system to be switched on at the time of the search, if they have run a program (i.e. Word) that showed these habits, we can discover that system. Ziften is constantly gathering and sending appropriate procedure information which is why we can discover the data without counting on the system state at the time of searching.
In our Zenith console, I searched for this condition by looking for the following:
Process → Filepath includes word.exe, Child Process Filepath includes cmd.exe, Child Process commandline contains powershell
This returns the PIDs (Process ID) of the procedures we saw startup with these conditions. From there we can drill down to see the important information.
In this very first image, we can see details around the process tree (Word spawning CMD with Powershell under that) to the left, and to the right side you can observe information like the System name and User, plus start time.
Listed below in the next screenshot, we look at the CMD procedure and get information as to what was passed to Powershell.
Probably when the user had to address this Microsoft Word pop-up dialog box, that is when the CMD shell utilized Powershell to head out and get some code that was hosted on the Louisiana Gov website. In the Powershell image below we can see more information such as Network Link info when it was reaching out to the site to pull the fonts.txt file.
That IP address (126.96.36.199) is in reality the Louisiana Gov site. In some cases we see fascinating data within our Network Connect information that might not match what you expect.
After producing our Saved Search, we can signal on these conditions as they take place throughout the environment. We can likewise develop extensions that change a GPO policy to not allow DDE or perhaps take additional action and go and find these files and eliminate them from the system if so preferred. Having the capability to find intriguing mixes of conditions within an environment is extremely powerful and we are delighted to have this function in our offering.