In past two weeks, the vulnerability in Microsoft’s Dynamic Data Exchange (DDE) is being leveraged to launch malware attacks. The adaptation by hackers is not just limited to the launching of Locky Ransomware but Hancitor and Necrus botnet campaigns are using this vulnerability.
What is DDE
DDE is a protocol that allows Office programs to exchange data between one another (ex: DDE can be used to ensure a table in a Word doc gets automatically updated with data from an Excel file).
Campaigns exploiting DDE
- Necrus Botnet
Necrus botnet campaigns are now delivering Locky by exploiting DDE vulnerability. The attachments were disguised as email invoices. However when DDE vulnerability is being exploited, the victim is presented with two prompts and clicking on Yes would result in the payload being downloaded and executed, thus infecting the system.
- Hancitor Trojan
Hancitor Trojan is a downloader which distributes payload via Word Documents with embedded malicious macros. The payload is generally an info stealer. Researchers have observed Hancitor using DDE as a part of its multi-methods of attack.
- Fancy Bear / APT28
A much prevalent APT group, commonly known as Fancy Bear too is using DDE.
Advisory By Microsoft
Microsoft has issued an advisory to secure MS Office installations from DDE attacks.
Mitigating DDE Attack Scenarios
Users who wish to take immediate action can protect themselves by manually creating and setting registry entries for Microsoft Office. Use the following instructions to set the registry keys based on the Office applications installed on your system.
Warning: If you use Registry Editor incorrectly, you could cause serious problems that could require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Microsoft Excel
| Office Version | Registry Key <version> string |
| Office 2007 | 12.0 |
| Office 2010 | 14.0 |
| Office 2013 | 15.0 |
| Office 2016 | 16.0 |
Microsoft Outlook
| Office Version | Registry Key <version> string |
| Office 2010 | 14.0 |
| Office 2013 | 15.0 |
| Office 2016 | 16.0 |
Microsoft Word
| Office Version | Registry Key <version> string |
| Office 2010 | 14.0 |
| Office 2013 | 15.0 |
| Office 2016 | 16.0 |
For Information about the registry modification to be done so as to mitigate DDE attacks visit :
https://technet.microsoft.com/library/security/4053440.aspx
 Dynamic Data Exchange vulnerability used in Malware Campaigns){kind=link}