APT28 Using DDE Vulnerability to Distribute Seduploader

Ongoing activity by APT26 (Fancy Bear) indicates they are exploiting the Dynamic Data Exchange (DDE) vulnerability in Microsoft Office to install the Seduploader malware. This malware is capable of exfiltrating data, executing code, downloading code and taking screenshots.

Fancy Bear (also known as APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) is a cyber espionage group.

The attack uses seemingly authentic phishing emails specifically targeted at the recipient, in this case related to the New York terrorist attack in October (IsisAttackInNewYork.doc). Once a user opens the blank document DDE prompts the command line to run PowerShell, which then executes two commands to communicate with a Command & Control (C2) server and download the first stage of Seduploader.

Affected Platforms:-

Microsoft Windows – All Versions

Resolution:-

Consider disabling DDE.

DDE attacks embedded within emails directly can be neutered by viewing messages in plain text, including messages that are sent as HTML. Although this change will make some emails harder to read where colours and styling has been used.

Ensure that users are taking the time to check dialogue boxes before clicking ‘Yes’.

Users and administrators are encouraged to review Microsoft Security Advisory 4053440 regarding Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields (https://technet.microsoft.com/en-us/library/security/4053440.aspx)