An increasing number of attacks take advantage of the capabilities of modern document formats to get past baseline anti-malware solutions. Such evasive measures involve initiating malicious actions from document files to infect endpoints by using macros, PowerShell and other scripts. A single click can inadvertently infect your systems.

Malware authors continue to look and inevitably find new ways of abusing features of document-processing applications to infect systems. One such evasive technique that has been making its rounds lately takes advantage of the support that Microsoft Office has for a technology known as Dynamic Data Exchange (DDE). DDE allows adversaries to deliver stealthy payloads via document files while avoiding the common usage of macro.

Adversaries have quickly adapted to use this technique and are now exploiting it in in-the-wild. For instance, a recent report by Talos shows the usage of DDE in targeted spear phishing with malicious documents compromising U.S. state government servers.

Another example is Necurs Botnet and Hancitor a malware which is never too late to the party, often utilizing such fresh tactics like the ones revealed by our team previously.

The use of DDE as an evasive tactic is appealing to attackers because it allows them to bypass endpoint solutions which lately improved their macro code protection.

The attackers can use DDE to execute malicious code not just from Microsoft Word and Excel, but also from Outlook email messages and calendar invites. In this manner, the tactic’s effectiveness is similar to that of an earlier nation state attack. Such evasive tactics make the detection of the threat very difficult and pushes security admins to rely on end-users, as described by Sophos.

As the number of malicious document attacks increase, the security industry’s response follows with improved detection. This in return sends perpetrators to find new evasive techniques.

In contrast to other endpoint security solutions, Minerva’s Anti-Evasion Platform doesn’t examine files for malicious characteristics to protect our users. Instead, we create an environment on the endpoint where evasive tactics cause malware to self-terminate or go to sleep. As I tweeted when the attack emerged all Minerva customers are protected from this attack.


Request a sample of this malware today to test it against your current solutions and Minerva.