Fancy Bear group abused DDE in recent U.S. campaign

Delaware, USA – November 9, 2017 – Cybercriminals from Fancy Bear, also known as APT28, started using DDE techniques in their phishing campaigns. Researchers from McAfee on Tuesday published a report in which they revealed the details of the recent campaign of this hacker group. The primary activity of this group is cyber espionage. On the late October, Fancy Bear used the terrorist attack theme in spear phishing emails to deceive their victims; adversaries sent carefully prepared emails with attached “empty” documents. When such document was opened, it abused Dynamic Data Exchange function in Microsoft Office to contact C&C server and install Seduploader malware. Cybercriminals used various modifications of this malware for several years to obtain information about the victim’s system, and then, if the victim is of interest, to install sophisticated spyware: Sedreco and X-agent.

Most AV solutions do not prevent the execution of malicious code, so more and more adversaries abuse DDE for malicious purposes. It is somewhat difficult to secure against such attacks. If you are using MS Office 2010, 2013 or 2016, you can disable DDEAuto by adding the following .reg file: https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b

Also, you can use the turn-key app from Use Case Cloud to be aware of any attempts of DDE abusing. DDE Exploitation Detector SIEM use case contains about 100 indicators of compromise and helps your SIEM administrators to respond to incidents promptly. It based on data and logs from firewalls, proxy, CrowdStrike Falcon EDR and Sysmon.