Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Locky Uses DDE Attack for Distribution

While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.

Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.

The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.

Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.

The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.

Advertisement. Scroll to continue reading.

Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.

Related: Massive Spam Runs Distribute Locky Ransomware

Related: Hackers Used Government Servers in DNSMessenger Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.