Locky Ransomware Spam Infects via Microsoft OfficeLook Ma, No Macros: Malicious Spam Wields Windows Application-Linking Feature
Attackers wielding Locky ransomware have a new trick up their sleeves: the ability to infect PCs via malicious Microsoft Word documents by using an application-linking feature built into Windows.
Locky attacks debuted in 2016, but they diminished sharply at the beginning of the year before storming back in August (see Locky Ransomware Returns With Two New Variants). Since then, Locky campaigns have continued, with attackers last month using not just malware-laced spam messages to attempt to infect victims, but also phishing attacks designed to look like Dropbox.
In recent days, a new Locky campaign has emerged, once again being launched by the prolific Necurs botnet, which has long been used by attackers to fling malicious spam, banking Trojans and ransomware - including Jaff - at potential victims.
The new version of Locky has been spotted by numerous security experts, including U.K.-based Kevin Beaumont, who says via Twitter that it's the "first proper Locky update in some time." He notes that the latest campaign appears to be using "a few different tool kits bolted together to try to spread Locky" and says that it's not yet clear if its spreading mechanism, which uses Windows server message block protocol to extend the outbreak inside a network, is effective.
We have first proper Locky update in some time. Uses Word DDE feature for delivery, and SMB for lateral movement. https://t.co/NzYSF2D50V— Beaumont Porg, Esq. (@GossiTheDog) October 19, 2017
Security researchers say these phishing attacks sent via Necurs botnet spam appear to be serving Locky for victims in some geographies and the Trickbot banking Trojan for victims in other locations.
Locky Demands Bitcoins
Historically, many malicious spam campaigns have attached to emails Word documents that include malicious macros. But such attacks require tricking users into enabling macros, which many administrators now block by default, owing to the risk they pose (see Hello! Can You Please Enable Macros?).
The latest Locky campaign, however, is using an application-linking feature in Windows called Dynamic Data Exchange to infect systems.
"I opened one of the Word documents in my lab environment and found a 1st stage malware (presumably a downloader) and a 2nd stage malware (Locky) during the infection," security researcher Brad Duncan at the SANS Institute's Internet Storm Center says in a blog post.
After it infected all of the files on his test system, Duncan reports that the Locky malware deleted itself, leaving behind a locked system and a note demanding a 0.25 bitcoin ransom. At the cryptocurrency's current sky-high valuation paying that ransom would cost $1,400 (see Please Don't Pay Ransoms, FBI Urges).
Back to the Future
Dynamic Data Exchange is a method that allows information in one program to be linked to another. For example, the value in a cell in a Microsoft Excel spreadsheet could be linked to another application and automatically update when the value in the application changed.
DDE debuted in 1987 as part of the 16-bit Windows 2.0 operating systems and is still supported in the latest versions of Windows. Even so, it's been largely superseded by Object Linking and Embedding data structures. As defined by Microsoft, these OLE structures "enable applications to create documents that contain linked or embedded objects."
As far back as 2007, Microsoft Windows guru Raymond Chen told programmers to "please feel free to stop using DDE" because the tool didn't always play well in the 32-bit Windows world.
Warnings about DDE began surfacing in March via security researcher Alex Davies (@pwndizzle), who said that DDE appeared to be a "very hackable feature," although added that he'd been unable to get DDE to execute in Word or PowerPoint.
Five months later, however, security researchers Etienne Stalmans and Saif El-Sherei of SensePost, the consultancy arm of European security services firm SecureData, reported that they solved that challenge.
The researchers write in a recently published blog post that a Word document can be created that automatically attempts to update included links via DDE. This feature could be abused by attackers, they warned, if the attackers could trick a victim into opening the document. At that point, the malicious document could automatically execute an external application, such as a malware downloader, as has now been seen in the latest Locky attacks.
For attackers, DDE offers "a way to get command execution on Microsoft Word without any macros, or memory corruption," Stalmans and El-Sherei said.
The SensePost researchers reported the DDE attack risk to Microsoft on Aug. 23 and were told on Sept. 26 by Microsoft that "it is a feature and no further action will be taken, and will be considered for a next-version candidate bug," meaning it might be eliminated in the next version of Windows.
Then again, DDE may never go away. Security experts such as anti-virus researcher Vesselin Bontchev have sided with Microsoft and noted that DDE works in all senses exactly as it was designed to do.
I'm with Microsoft on this. It's as old as the hills (older than macros), works as intended, you do get a warning. Nothing to patch.— Vess (@VessOnSecurity) October 10, 2017
Thankfully, there is a simple workaround that will block the malicious use of DDE without any ramifications, "provided your company does not use the DDE feature to dynamically update Word files with content from Excel spreadsheets," according to the My Online Security forum. If so, this defense will break that functionality.
Awesome new vector to BREAK this awesome new vector: pic.twitter.com/zJzLrkgD8L— Brian Boettcher (@boettcherpwned) October 11, 2017
Here's the workaround: In Microsoft Word, under "File: Options: Advanced," in the "General" section, uncheck the "Update Automatic links at Open" setting. After that, "there is then no physical way that a recipient can click 'yes' to allow the links to work and download anything," according to My Online Security.