A spear phishing campaign impersonating the U.S. Securities and Exchange Commission was recently discovered attempting to infect victims with DNSMessenger malware, using malicious Word attachments that abuse Microsoft Windows' Dynamic Data Exchange (DDE) protocol.
Discovered earlier this year, DNSMessenger is a fileless malware program that avoids detection by secretly establishing command-and-control communications using an infected machine's Domain Name System TXT record queries and responses. Previous phishing campaigns delivered the malware as a final payload following a series of PowerShell commands. According to researchers from Cisco Talos, the SEC phishing operation employed a similar infection chain, with the added twist of leveraging DDE for code execution, as opposed to more commonly used macros or OLE (Object Linking and Embedding) objects.
DDE is a protocol used for interprocess communications, such as the transferring of data between applications. Earlier this year, researchers at SensePost determined that DDE could be essentially exploited to execute malicious code in Microsoft Word.
Microsoft Corporation reportedly chose not to act on the findings, calling this functionality an intentional feature. However, SensePost noted in a blog post that Microsoft said it would consider reclassifying the feature as a bug in the next version of Windows. In the meantime, however, "We are now seeing it actively being used by attackers in the wild, as demonstrated in this attack," Talos reported in a blog post authored by researchers Edmund Brunaghin and Colin Grady, with contributions from Dave Maynor and @Simpo13.
Asked for comment, a Microsoft spokesperson offered the following statement: “This technique requires a user to disable Protected Mode and click through one or more additional prompts. We encourage customers to use caution when opening suspicious email attachments.”
Craig Williams, senior threat researcher and global outreach manager at Talos, told SC Media that Cisco's threat intelligence team first observed the SEC phishing campaign on October 10. In its report, Talos does not elaborate on which companies were specifically targeted by the phishing operation, other than to note that the intended victims were similar to those targeted in prior DNSMessenger campaigns. But Williams informed SC Media that the targets included insurance, finance, and IT companies.
In this latest attack, the phishers distributed emails that were spoofed to look like they came from the SEC's Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, a platform that corporations use to file their financial reports. The malicious Word document attached to these emails contained logos and branding that contributed to the illusion that the SEC was the sender.
Opening the attachment would trigger a notification indicating that the document contains links to external files, and asking the user for permission to import and display this content. Agreeing to do so triggered the infection, as the document would use the Windows DDE protocol to retrieve malicious code from a compromised government website owned by the state of Louisiana.
The downloaded code, executed via Powershell, would then commerce the complex infection chain, at which time key blocks of code are decoded and deobfuscated, and the malware studies the infected system to determine how best to achieve persistence, based characteristics such as the user's privilege level. The malware then sets up the DNS-based C&C infrastructure, including defining a list of domains that will be used for communications, before presumably executing the final payload. (Talos is crediting another researcher known as Wraith Hacker with documenting the final stage of this infection chain.)
"This attack shows the level of sophistication that is associated with threats facing organizations today," Talos notes in its blog post. "The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace."
Unrelated to this phishing campaign, the SEC's EDGAR platform was also recently breached by hackers who accessed various companies' documents and used the information gleaned to profit from insider trading.