Adwind RAT Abuses DDE to Avoid Detection

Delaware, USA – September 25, 2018 — Researchers from Cisco Talos discovered a massive spam campaign that distributes the multi-platform Adwind RAT. Most targets of the attack are located in Turkey and Germany. Adversaries abuse the Dynamic Data Exchange feature in Microsoft Excel to successfully avoid detection by antivirus software. The campaign started on August 26 and continued to this day. The researchers found a lot of used malicious Excel documents with .CSV or .XLT extensions. Usage of these formats makes it difficult for antiviruses to recognize a document as malicious. When the document is opened, Excel executes the hidden code, and the user will be prompted to confirm the execution. If he agrees, the latest modification of the Adwind Trojan, which can attack systems running Windows, Linux and MacOs, is downloaded and installed into the system. The threat actor behind this campaign has not yet been identified.

Adwind RAT allows attackers to execute commands, transfer files, log keystroke and take screenshots, which makes it an excellent tool for cyber espionage. Hacker groups started abusing the Dynamic Data Exchange feature last fall, but after Microsoft partially fixed this flaw, the use of this technique has almost come to naught. In the uncovered campaign, adversaries slightly modified the long-known technique, so other threat actors can weaponize it again. DDE Exploitation Detector rule pack helps SIEM to spot signs of abusing MS Office. It works based on Firewall and Proxy events, Sysmon and CrowdStrike Falcon EDR log data: