Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)
Computer Emergency Response Team of Mauritius>APT28's latest Word document attack eliminates needing to enable macros

APT28's latest Word document attack eliminates needing to enable macros


The threat group APT28/Fancy Bear is now using a little used technique available in Microsoft Office that enables cybercriminals to executive arbitrary code through a Word document, without requiring macros to be enabled.
Security Firm McAfee saw what it called the Microsoft Office Dynamic Data Exchange (DDE) technique used as an attack vector, wrote McAfee researchers Ryan Sherstobitoff and Michael Rea. The cybercriminals also introduced a new piece of bait labeling the Word document as containing information on the recent terror attack in New York City.
The DDE protocol is used by Microsoft to share information between applications, but it also can be abused to launch malware in Word, Excel or Outlook attachments without the need for macros to be enabled, according to a Sophos report. This effectively eliminates one step an attacker needs its victim to take as the payload is delivered when the doc is just opened.
The McAffee team came across several pieces of evidence tying these attacks to APT28, including the downloader and the command and control server domain, both of which can be tied to the group. The document it examined was:
Filename: IsisAttackInNewYork.docx
Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e
Creation date: 2017-10-27T22:23:00Z
As per the security researchers, APT28 used Seduploader as a first-stage payload for several years from various public reporting. Based on structural code analysis of recent payloads observed in the campaign, it was observed that they are identical to previous Seduploader samples employed by APT28. They also identified the control server domain associated with this activity as webviewres[.]net, which is consistent with past APT28 domain registration techniques that spoof legitimate-sounding infrastructure.
Source:
SC Magazine
Cisco Daily News
Team Cymru
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis