Fancy Bear, the high-level hacking group researchers assume is attached to the Russian government, is actively utilizing a recently improved procedure that provides enemies a secret center of infecting computers using Microsoft Office documents, security researchers said this week.
Fancy Bear implies 1of 2 Russian-sponsored hacking gears researchers answer breached Democratic National Committee materials before of last year’s official choice. The group comprised recently detected carrying a Word document that abuses a feature known as Dynamic Data Exchange. DDE allows a file to execute code stored in another file and allows applications to send updates as new data becomes available.
During a blog post published Tuesday, Trend Micro researchers told Fancy Bear was sending a document titled IsisAttackInNewYork.docx that abused the DDE feature. Once opened, the file connects to a control server to download a first-stage of a piece of malware called Setup loader and installs it on a target’s computer. DDE’s potential being a virus system has been grasped during years, still, a post announced last month by security firm SensePost should be revived investment in it. That appointment confirmed how DDE could be abused to install malware using Word files that went undetected by anti-virus programs.
A day behind Trend Micro announced its statement wherein Fancy Bear, Microsoft posted an announcement describing how Office users can protect themselves from before-mentioned attacks. The natural way to stay reliable is to remain wary of unfamiliar messages that get displayed when opening a document. As SensePost principal published, ere that DDE characteristic can be used, users resolution see a dialog box that looks something like the following:
The malicious payload will only execute after a user has clicked yes to both warnings.
If targets click yes, they will see a prompt that looks something like this:
The Microsoft announcement further demonstrates how more technically advanced users can change settings in the Windows registry to disable automatic updating of data from one file to another.
Fancy Bear isn’t the first group to actively exploit DDE in the wild. Several weeks behind the SensePost post operated live, researchers summarized critics were exploiting the feature to install the Locky ransomware.
Many researchers have remarked on the ability of the DDE-enabled attacks to spread malware through Office documents without the macros. The creation is likely to obtain DDE effective in remarkable settings, given the growing awareness of the dangers macros pose. But ultimately, the DDE mechanism comes with its own telltale signs. People should learn to recognize them now that DDE attacks are growing more common.