MS Office DDE Exploit/BadRabbit Ransomware

Over the past few weeks there have been reports of attackers exploiting a built-in Microsoft Office feature and leveraging it in several large malware campaigns. The feature being exploited is called Dynamic Data Exchange (DDE). It is one of several methods Microsoft uses to allow data sharing between two running applications.

Some of the widespread malware campaigns that leverage DDE include: DNSMessenger, the Necurs Botnet, and Hancitor.

Prevention

Most antivirus solutions will not flag or block MS Office documents with DDE fields because DDE is a legitimate feature.

Microsoft has no plans to release a patch for this issue, but you can prevent DDE attacks by disabling the “update automatic links at open” option in Office programs.

You can do this by following these steps:

  1. Open a MS Office program
  2. Select File → Options → Advanced
  3. Scroll down to General and uncheck the “Update automatic links at open” box.

However, with attacks like this, the best method of prevention is to be suspicious of documents sent via email and to verify the authenticity of the sender.

 

BadRabbit Ransomware

On Tuesday, yet another major ransomware campaign spread across Russia, Ukraine, and Eastern Europe. The organizations initially affected included the Ministry of Infrastructure, Kiev metro, Odessa International Airport, and a few Russian Federation state organizations.

The ransomware, dubbed BadRabbit, was initially spread via drive-by downloads from legitimate news sites masquerading as an Adobe Flash Player update.

Prevention

A vaccine was found relatively early in the community’s analysis of BadRabbit by security researcher Amit Serper.

You can apply the vaccination by following these steps:

  1. Create c:\windows\infpub.dat & c:\windows\cscc.dat files. Open an admin Command Prompt and enter the following commands:
    1. echo “” > c:\windows\cscc.dat
    2. echo “” > c:\windows\infpub.dat
  2. Remove all permissions:
    1. Right click each file and select Properties.
    2. Select the Security tab → Advanced Change Permissions.
    3. Uncheck the “Include inheritable permissions from this object’s parent” box and click Remove on the pop-up that appears.
    4. Windows 10 users need to click Disable inheritance instead of unchecking the “Include inheritable permissions from this object’s parent” box and then select “Remove all inherited permissions from this object”.

Sources:
https://thehackernews.com/2017/10/ms-office-dde-malware-exploit.html
https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/
https://www.helpnetsecurity.com/2017/10/25/bad-rabbit-ransomware/