The MS Office DDE YARA rules that we published yesterday detected several malicious documents samples since 10/10/2017.
Remark: the malicious samples we mention were detected with our DDEAUTO rule (Office_DDEAUTO_field); as we feared, the second rule (Office_DDE_field) is generating some false positives and we will update it.
The first sample uses PowerShell to download an executable and run it. With zipdump.py and our YARA rules we can extract the command, and with sed command “s/<[^>]*>//g” we can remove the XML tags to reveal the command:
The second sample is using PowerShell with a second stage DLL (we were not able to recover the DLL):
As could be expected, we also observed many samples that are not truly malicious, but just the samples of persons experimenting with DDE code execution starting 10/10/2017. This could also be the case for the “DLL sample”.
This campaign used compromised government servers to serve a PowerShell second stage script:
Leveraging compromised government servers increases the success of such campaigns, because of the implied trust associated with government servers.
Should you have to analyze the next stages, know that they are PowerShell scripts that have been compressed and BASE64 encoded. Here is one method to extract these scripts: