Locky updated to exploit Office DDE feature and spread ransomware

A legitimate feature in Microsoft Office that allows Word to load data from other documents is being exploited to push a new variant of the Locky ransomware. Victims are reportedly targeted with malspam messages via the infamous Necurs botnet.

Under the subject line “Emailed Invoice” followed by a string of random numbers, the malspam attack leverages Microsoft Dynamic Data Exchange (DDE). Distributed with the aid of the Necurs botnet, the exploit makes Microsoft Word display dialog messages that some users might dismiss reflexively, even though the dialogs contain security warnings.

Unbeknown to them, the succession of clicks ultimately downloads and runs the Locky ransomware, locking down the victims’ hard drives and demanding 0.25 Bitcoin ($1,474 at today’s trading) in ransom money for the decryption keys.

The new version of Locky reportedly also exploits SMB flaws in non-patched computers on a network to spread to additional victims, in what would be described as wormable behavior similar to the WannaCry pathogen back in May.

The attack uses several elements to hide from AV software:

  • It exploits what is essentially intended functionality (Microsoft itself calls DDE a feature, not a bug), so as the user clicks through the security warnings, it may already be too late.
  • The attachment appears as a benign 7zip attachment, making it difficult for antimalware solutions to discriminate against it. As infosec expert Vess (VessOnSecurity) puts it, “Works as intended, you do get a warning. Nothing to patch.
  • It uses an encrypted txt file that gets converted to a working Locky file, again, after the fact.
  • If email spoofing is employed, the infected file can appear to come from a known sender, further increasing the possibility of fooling the user.

The illustration above depicts – in the simplest form – how the attack unfolds, courtesy of Brad Duncan (on duty at ICS at the time of discovery).

The updated Locky ransomware has been circulating for two months, but no major attacks have so far been recorded.

Users should follow basic safety rules and avoid downloading email attachments they are not expecting.

Leave a Reply