APT28's latest Word doc attack eliminates needing to enable macros
APT28's latest Word doc attack eliminates needing to enable macros

The threat group APT28/Fancy Bear is now using a little used technique available in Microsoft Office that enables the cybergang to executive arbitrary code through a Word document, but without requiring macros to be enabled.

McAfee saw what it called the Microsoft Office Dynamic Data Exchange (DDE) technique used as an attack vector, wrote McAfee researchers Ryan Sherstobitoff and Michael Rea. The cybergang also introduced a new piece of bait labeling the Word document as containing information on the recent terror attack in New York City.

The DDE protocol is used by Microsoft to share information between applications, but it also can be abused to launch malware in Word, Excel or Outlook attachments without the need for macros to be enabled, according to a Sophos report. This effectively eliminates one step an attacker needs its victim to take as the payload is delivered when the doc is just opened.

The McAffee team came across several pieces of evidence tying these attacks to APT28, including the downloader and the command and control server domain, both of which can be tied to the group. The document it examined was:

  • Filename: IsisAttackInNewYork.docx
  • Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e
  • Creation date: 2017-10-27T22:23:00Z

“We have observed APT28 using Seduploader as a first-stage payload for several years from various public reporting. Based on structural code analysis of recent payloads observed in the campaign, we see they are identical to previous Seduploader samples employed by APT28, Rea and Sherstobitoff said, adding, “We identified the control server domain associated with this activity as webviewres[.]net, which is consistent with past APT28 domain registration techniques that spoof legitimate-sounding infrastructure.”

Seduploader is a recon package that ensures the target system is of interest to the attackers. If so the backdoors X-Agent or Sedreco are then installed and are then used to steal information like passwords, content or run code.

McAfee was not certain why APT28's adopted DDE as an attack method, but it postulated that it enables the group to more effectively bypass network defenses compared to the usual VBA script methodology it utilizes.