Archive

All blog posts in chronological order

October 2017

Microsoft Office DDE Vortex Ransomware Targeting Poland - Unfortunately it appears that ransomware authors are now starting to employ the use of Microsoft Office DDE malware carriers. This post will likely be our last on DDE dissection and covers the delivery of Vortex ransomware, seemingly targeted towards Poland.
Microsoft Office DDE Freddie Mac Targeted Lure - In reviewing the results of out Microsoft Office DDE malware hunt, we came across an interesting sample targeted to Freddie Mac employees. This post dives into the dissection of this well put together sample.
Microsoft Office DDE SEC OMB Approval Lure - In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
Microsoft Office DDE Macro-less Command Execution Vulnerability - On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.