Russian “Fancy Bear” Hacker Group Exploiting Microsoft Office

Russian Hacker Group “Fancy Bear” Currently Using an Exploit That Microsoft Refuses to Patch

Another headline about Russian Hackers has been circling the internet for over a week. In this latest event, the hacking group from Russia known as “Fancy Bear” has been utilizing a known vulnerability – DDE or Dynamic Data Exchange – to run code execution on targeted devices without the system requiring Macros enabled or memory corruption.

The DDE Protocol is one of many different ways that Microsoft allows two running applications to share the same data. Per Microsoft this is a feature and is not a bug and as such, they will not be writing any patches to address this vulnerability.

This protocol is currently being used by thousands of different apps including Microsoft Excel, Microsoft Word, Quattro Pro and even Visual Basic.

About a month ago the news was released, Cisco’s Talos threat research group published a report about ongoing attacks using this method and since then, this attack vector has picked up traction and is being used more and more often.


Russian Hackers Now Using New York Terror Attacks To Locate Potential Victims


McAfee published a report Tuesday stating that while analyzing a new spear phishing campaign, they had discovered that the Fancy Bear Russian hacker group has been leveraging the DDE Vulnerability since late October 2017.

This campaign focused on documents that referenced the recent terrorist attack in New York City – an attempt to trick potential victims into clicking on the infected documents and running malware on their systems.

One of the biggest issues is that since the DDE protocol is a legitimate feature of the applications and not a ‘bug’, most antivirus’s will not flag, display a warning or block documents with DDE fields.

What this means to you is that anyone who would click on the infected attachment would run this malicious code – without detection or remediation.

After the document is opened and the code runs, the system would contact a command-and-control server which would install the first stages of the malware – identified as SEDUPLODER on the victim’s machine. This is all being processed via PowerShell commands.

This SEDUPLOADER would then profile the system, returning host information from the system to the command-and-control system and eventually back to the hackers themselves. If this information is deemed beneficial to the hackers, a second stage malware installation is processed and spyware would be installed.

Attacks have included DNSMessenger, TrickBot Banking malware, Chanitor and even Lockey Ransomware, predominantly leveraging the Microsoft Word application.


How Do I Protect Myself?

Since Microsoft has taken the stance that this is a feature and not a bug or an item they will be patching/removing, the best course of action is to disable it entirely.

To do this,

You can also disable this feature via the user interface or though the Registry Editor itself.

This being said, the best way we would recommend to protect yourself from this and many other potential attacks is to always be suspicious of random documents sent via email, especially from unsolicited senders. If you do happen to open a document that contains links within the document, always verify the sender or that the data you are accessing is something you have requested or are expecting to receive.

Please follow, like and share Your Digital Mind:


I have been in the Information Technology industry for a little over a decade gaining a Bachelors degree in Information System Security and securing employment with various industries including Government, Financial, Healthcare, Corporate and the End User sectors. I started Your Digital Mind in 2016 as a way to share my love for Education, Technology and Science in an entertaining yet rewarding format. I hope you are learning and enjoying!

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *