Russian “Fancy Bear” Hacker Group Exploiting Microsoft Office

Reading Time: 3 minutes

Russian Hacker Group “Fancy Bear” Currently Using an Exploit That Microsoft Refuses to Patch

Another headline about Russian Hackers has been circling the internet for over a week. In this latest event, the hacking group from Russia known as “Fancy Bear” has been utilizing a known vulnerability – DDE or Dynamic Data Exchange – to run code execution on targeted devices without the system requiring Macros enabled or memory corruption.

The DDE Protocol is one of many different ways that Microsoft allows two running applications to share the same data. Per Microsoft this is a feature and is not a bug and as such, they will not be writing any patches to address this vulnerability.

This protocol is currently being used by thousands of different apps including Microsoft Excel, Microsoft Word, Quattro Pro and even Visual Basic.

About a month ago the news was released, Cisco’s Talos threat research group published a report about ongoing attacks using this method and since then, this attack vector has picked up traction and is being used more and more often.


Russian Hackers Now Using New York Terror Attacks To Locate Potential Victims


McAfee published a report Tuesday stating that while analyzing a new spear phishing campaign, they had discovered that the Fancy Bear Russian hacker group has been leveraging the DDE Vulnerability since late October 2017.

This campaign focused on documents that referenced the recent terrorist attack in New York City – an attempt to trick potential victims into clicking on the infected documents and running malware on their systems.

One of the biggest issues is that since the DDE protocol is a legitimate feature of the applications and not a ‘bug’, most antivirus’s will not flag, display a warning or block documents with DDE fields.

What this means to you is that anyone who would click on the infected attachment would run this malicious code – without detection or remediation.

After the document is opened and the code runs, the system would contact a command-and-control server which would install the first stages of the malware – identified as SEDUPLODER on the victim’s machine. This is all being processed via PowerShell commands.

This SEDUPLOADER would then profile the system, returning host information from the system to the command-and-control system and eventually back to the hackers themselves. If this information is deemed beneficial to the hackers, a second stage malware installation is processed and spyware would be installed.

Attacks have included DNSMessenger, TrickBot Banking malware, Chanitor and even Lockey Ransomware, predominantly leveraging the Microsoft Word application.


How Do I Protect Myself?

Since Microsoft has taken the stance that this is a feature and not a bug or an item they will be patching/removing, the best course of action is to disable it entirely.

To do this,

You can also disable this feature via the user interface or though the Registry Editor itself.

This being said, the best way we would recommend to protect yourself from this and many other potential attacks is to always be suspicious of random documents sent via email, especially from unsolicited senders. If you do happen to open a document that contains links within the document, always verify the sender or that the data you are accessing is something you have requested or are expecting to receive.

Leave a Reply

Your email address will not be published. Required fields are marked *