Cisco's Talos malware researchers posted about a highly sophisticated, targeted spear phishing attack using malicious Word attachments, spoofed to look like it was from the U.S. Securities and Exchange Commission EDGAR filing system, and used DNS to create a bidirectional Command & Control channel. The Word attachments contained SEC logos and branding, social engineering the user to believe that the emails were legit and click on prompts.
Using this channel, the attackers were able to abuse the Microsoft DDE protocol which allows dynamic data exchange between applications, and use the contents of DNS TXT record queries and the associated responses generated on the attacker-controlled DNS server. The targets included insurance, finance, and IT companies.
Cisco said: "We have since observed additional attacks leveraging this type of malware attempting to infect several target organizations. These attacks began with a targeted spear phishing email to initiate the malware infections and also leveraged compromised U.S. state government servers to host malicious code used in later stages of the malware infection chain.
Craig Williams, senior threat researcher and global outreach manager at Talos, told SC Media that Cisco's threat intelligence team first observed the SEC phishing campaign on October 10. In its report, Talos does not elaborate on which companies were specifically targeted by the phishing operation, other than to note that the intended victims were similar to those targeted in prior DNSMessenger campaigns.
"These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate."
Earlier this year, researchers at SensePost determined that DDE could be essentially exploited to execute malicious code in Microsoft Word. Microsoft reportedly chose not to act on the findings, calling this functionality an intentional feature. However, SensePost noted in a blog post that Microsoft said it would consider reclassifying the feature as a bug in the next version of Windows.
Asked for comment, a Microsoft spokesperson offered the following statement: “This technique requires a user to disable Protected Mode and click through one or more additional prompts. We encourage customers to use caution when opening suspicious email attachments.” New-school security awareness training would be very helpful with that.
Opening the attachment would trigger a notification indicating that the document contains links to external files, and asking the user for permission to import and display this content. Agreeing to do so triggered the infection, as the document would use the Windows DDE protocol to retrieve malicious code from a compromised government website owned by the state of Louisiana.
"This attack shows the level of sophistication that is associated with threats facing organizations today," Talos notes in its blog post. "The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace."
Here is a short video by Sophos explaining this new attack.
Can Your Domain Be Spoofed?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?
Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained. KnowBe4 can help you find out if this is the case with our free Domain Spoof Test.
Find out now if your email server is configured correctly, many are not!
This is a simple, non-intrusive "pass/fail" test.
We will send a spoofed email "from you to you".
If it makes it through into your inbox, you know you have a problem.
You'll know within 48 hours!
Don't like to click on redirected buttons? Cut&paste this link in your browser: