Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Cybercriminals, including state-sponsored hackers, have started actively exploiting a newly discovered Microsoft Office vulnerability that Microsoft does not consider as a security issue and has already denied to patch it.

This problem can be easily solved. Download CyberByte antivirus from the Apple AppStore.

Mac / MacOS / OS X users can download antivirus for Mac solution CyberByte by clicking the banner below. The free antivirus will help you to know if your Mac is infected. Antivirus for Mac is an awarded software for malware detection. The free antivirus for Mac is available for new MacOS and older OS X versions.

Features of CyberByte™ antivirus:

  • Protects you from all kind of threats
  • CyberByte™ custom detection engine includes Mac and Windows malware protection and detection
  • Fastest scanning times in the market
  • Crypto Mining rogue extensions/malware detection
  • Ransomware detection - don’t negotiate with ransomware cyber terrorists – keep your Mac and Windows safe
  • Active live protection from background
  • Certified Threat Detector by OPSWAT
  • Easy to Install
  • Easy to Manage
  • Incredible value for money

Invisible, protecting you from behind the scenes - You will not feel it is installed on your computer, easy on the resources, like a protection software should be.

Original technology that combines behavioral heuristic analysis with powerful signatures database – the CyberByte™ Protection Engine  delivers top of the line protection in an instant.

Fastest scanning times in the market – your time is precious, but also so is your digital life – CyberByte™ delivers fast scanning saving both time and your valuable data.

Don’t negotiate with ransomware cyber terrorists – keep your Mac safe and don’t ever end up paying for what is already yours.

Protect others as well – the CyberByte™ Protection Engine  not only detects the threat but stops it from spreading to other Macs or Windows machines.

Don’t let strangers use your resources – more than 80% of the attacks are crypto mining driven. Are you sure your computer is not mining for crypto while you read this text?

Our malware protection will continuously look after your device providing the best security against viruses. Give us the chance to prove it by downloading the antivirus for your device.

The free download antivirus is available for both Mac and Windows users.

The antivirus for Mac is a certified product by OPSWAT (OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against
zero-day attacks by using multiple antivirus engine scanning and document sanitization.
To learn more about OPSWAT’s innovative and unique solutions, please visit

Last month, we reported how hackers could leverage a built-in feature of Microsoft Office feature, called Dynamic Data Exchange (DDE), to perform code execution on the targeted device without requiring Macros enabled or memory corruption.

DDE protocol is one of the several methods that Microsoft uses to allow two running applications to share the same data.

The protocol is being used by thousands of apps, including MS Excel, MS Word, Quattro Pro, and Visual Basic for one-time data transfers and for continuous exchanges for sending updates to one another.

Soon after the details of DDE attack went public, several reports emerged about various widespread attack campaigns abusing this technique in the wild to target several organisations with malware.
Now, for the first time, this DDE attack technique has been found leveraging by an Advanced Persistent Threat (APT) hacking group—APT28, which is well known as Fancy Bear and is widely believed to be backed by the Russian government.

Russian Hackers Using New York Terror Attack to Lure Victims

While analyzing a new spear phishing campaign, security researchers discovered that the Fancy Bear hackers have been leveraging the DDE vulnerability since late October, according to a recent report published Tuesday by McAfee researchers.

The campaign involved documents referencing the recent terrorist attack in New York City in an attempt to trick victims into clicking on the malicious documents, which eventually infects their systems with malware. Since DDE is a Microsoft’s legitimate feature, most antivirus solutions don’t flag any warning or block the documents with DDE fields.

Widget not in any sidebars

Therefore, anyone who clicks on the malicious attachment (with names like SabreGuard2017.docx or IsisAttackInNewYork.docx) inadvertently runs malicious code on his/her computer without any restriction or detection.

Once opened, the document runs contacts a command-and-control server to install the first stage of the malware called Seduploader on victims’ machines using PowerShell commands.

Seduploader then profiles prospective victims by pulling basic host information from the infected system to the hackers. If the system is of interest, the attackers later install a more fully featured piece of spyware—X-Agent and Sedreco.
“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections but can also rapidly incorporate new exploitation techniques to increase its success,” Mcafee researchers concluded.
“Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses.”
This is not first malware campaign that has been spotted abusing the DDE attack technique.
Soon after the details of DDE attack technique went public, Cisco’s Talos threat research group uncovered an attack campaign that was actively exploiting this attack technique to target several organisations with a fileless remote access trojan called DNSMessenger.

Late last month, researchers discovered a campaign that spread Locky ransomwareand TrickBot banking trojan via Word documents that leveraged the DDE technique.

Another separate malware spam campaign discovered by security researchers also found distributing Hancitor malware (also known as Chanitor and Tordal) using Microsoft Office DDE exploit.

Since Microsoft does not provide any protection against such attacks, you can easily prevent yourself from falling victim to any malicious document abusing the Microsoft’s DDE feature by disabling it entirely.

If you use Microsoft Word 2016 or Microsoft Excel 2016, go to Options → Advanced, and then remove the checkmark from “Update automatic links at open” which is listed under the general group on the page.

In MS Excel, you can also consider checking “Ignore other applications that use Dynamic Data Exchange (DDE).”

Moreover, Disable DDEAuto is a Registry file maintained on GitHub that disables the “update links” as well as “embedded files” functionality in MS Office documents when run.

The procedure is simple:

  • Just free download antivirus from CyberByte website either for Mac or Windows.
  • Install it using the antivirus installer package.
  • Windows and Mac users will free malware scan their devices. The scan duration depends on how many files the end user has.
  • CyberByte antivirus will show if any files are infected after the scan is finished.

You can detect Office documents abusing the DDE feature via a set of YARA rules in Office Open XML files published by the researchers at NVISO Labs.

However, the best way to protect yourself from such malware attacks is always to be suspicious of uninvited documents sent via emails and never click on links inside those documents unless adequately verifying the source.

Source: TheHackerNews

Companies can protect them from hacking by using the best hosting and web hosting service available with the best cybersecurity.