Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

Locky Ransomware Spam Infects via Microsoft Office

Look Ma, No Macros: Malicious Spam Wields Windows Application-Linking Feature
Locky Ransomware Spam Infects via Microsoft Office
Desktop of a test system infected by the latest Locky campaign. (Source: Brad Duncan)

Attackers wielding Locky ransomware have a new trick up their sleeves: the ability to infect PCs via malicious Microsoft Word documents by using an application-linking feature built into Windows.

See Also: Live Webinar | Adversary Analysis of Ransomware Trends

Locky attacks debuted in 2016, but they diminished sharply at the beginning of the year before storming back in August (see Locky Ransomware Returns With Two New Variants). Since then, Locky campaigns have continued, with attackers last month using not just malware-laced spam messages to attempt to infect victims, but also phishing attacks designed to look like Dropbox.

Screenshot of an email tied to the Locky campaign. While security researchers have seen dozens of different email variations, there only appear to be three distinct malicious attachments. (Source: Brad Duncan)

In recent days, a new Locky campaign has emerged, once again being launched by the prolific Necurs botnet, which has long been used by attackers to fling malicious spam, banking Trojans and ransomware - including Jaff - at potential victims.

The new version of Locky has been spotted by numerous security experts, including U.K.-based Kevin Beaumont, who says via Twitter that it's the "first proper Locky update in some time." He notes that the latest campaign appears to be using "a few different tool kits bolted together to try to spread Locky" and says that it's not yet clear if its spreading mechanism, which uses Windows server message block protocol to extend the outbreak inside a network, is effective.

Security researchers say these phishing attacks sent via Necurs botnet spam appear to be serving Locky for victims in some geographies and the Trickbot banking Trojan for victims in other locations.

Locky Demands Bitcoins

Flowchart for the Locky attacks. (Source: Brad Duncan)

Historically, many malicious spam campaigns have attached to emails Word documents that include malicious macros. But such attacks require tricking users into enabling macros, which many administrators now block by default, owing to the risk they pose (see Hello! Can You Please Enable Macros?).

The latest Locky campaign, however, is using an application-linking feature in Windows called Dynamic Data Exchange to infect systems.

"I opened one of the Word documents in my lab environment and found a 1st stage malware (presumably a downloader) and a 2nd stage malware (Locky) during the infection," security researcher Brad Duncan at the SANS Institute's Internet Storm Center says in a blog post.

After it infected all of the files on his test system, Duncan reports that the Locky malware deleted itself, leaving behind a locked system and a note demanding a 0.25 bitcoin ransom. At the cryptocurrency's current sky-high valuation paying that ransom would cost $1,400 (see Please Don't Pay Ransoms, FBI Urges).

Back to the Future

Dynamic Data Exchange is a method that allows information in one program to be linked to another. For example, the value in a cell in a Microsoft Excel spreadsheet could be linked to another application and automatically update when the value in the application changed.

DDE debuted in 1987 as part of the 16-bit Windows 2.0 operating systems and is still supported in the latest versions of Windows. Even so, it's been largely superseded by Object Linking and Embedding data structures. As defined by Microsoft, these OLE structures "enable applications to create documents that contain linked or embedded objects."

As far back as 2007, Microsoft Windows guru Raymond Chen told programmers to "please feel free to stop using DDE" because the tool didn't always play well in the 32-bit Windows world.

DDE Warnings

Warnings about DDE began surfacing in March via security researcher Alex Davies (@pwndizzle), who said that DDE appeared to be a "very hackable feature," although added that he'd been unable to get DDE to execute in Word or PowerPoint.

Five months later, however, security researchers Etienne Stalmans and Saif El-Sherei of SensePost, the consultancy arm of European security services firm SecureData, reported that they solved that challenge.

The researchers write in a recently published blog post that a Word document can be created that automatically attempts to update included links via DDE. This feature could be abused by attackers, they warned, if the attackers could trick a victim into opening the document. At that point, the malicious document could automatically execute an external application, such as a malware downloader, as has now been seen in the latest Locky attacks.

DDE can be used to create a Word document (.docx) that asks a user if they want to start an external application to handle links in the current document, say researchers at Sensepost. Such requests are not restricted by macro settings and do not trigger any security alerts.

For attackers, DDE offers "a way to get command execution on Microsoft Word without any macros, or memory corruption," Stalmans and El-Sherei said.

A malicious Word document can be created, using DDE, to automatically load data from an external source once the document was opened. (Source: Sensepost.)

The SensePost researchers reported the DDE attack risk to Microsoft on Aug. 23 and were told on Sept. 26 by Microsoft that "it is a feature and no further action will be taken, and will be considered for a next-version candidate bug," meaning it might be eliminated in the next version of Windows.

Then again, DDE may never go away. Security experts such as anti-virus researcher Vesselin Bontchev have sided with Microsoft and noted that DDE works in all senses exactly as it was designed to do.

Immediate Defense

Thankfully, there is a simple workaround that will block the malicious use of DDE without any ramifications, "provided your company does not use the DDE feature to dynamically update Word files with content from Excel spreadsheets," according to the My Online Security forum. If so, this defense will break that functionality.

Here's the workaround: In Microsoft Word, under "File: Options: Advanced," in the "General" section, uncheck the "Update Automatic links at Open" setting. After that, "there is then no physical way that a recipient can click 'yes' to allow the links to work and download anything," according to My Online Security.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.