Security Experts:

Connect with us

Hi, what are you looking for?



Locky Uses DDE Attack for Distribution

While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

While continuing to spread via spam emails sent by the Necurs botnet, the Locky ransomware has switched to new attack techniques in recent campaigns, in an attempt to evade detection and improve infection rate.

One of the methods involves the use of the Dynamic Data Exchange (DDE) protocol, which has been designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.

Malicious actors found a way to use DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.

The technique was previously observed being employed by the FIN7 hacking group in recent DNSMessenger malware attacks, and Internet Storm Center (ISC) handler Brad Duncan says it could also be associated with a Hancitor malware campaign spotted earlier this week.

Now, Duncan reveals that Locky too has adopted the use of Office documents and DDE for infection. Delivered through spam emails originating from Necurs, the documents were attached to messages posing as invoices.

The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.

The use of DDE for infection, however, is only one of the methods Locky employs. As Trend Micro points out, Necurs also distributed the ransomware through HTML attachments posing as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

“The continuous changes in Locky’s use of file attachments are its way of adjusting its tools to evade or bypass traditional security. But despite the seeming variety, there are common denominators in Locky’s social engineering, particularly in the email subjects and content. They appear to have the same old flavors, but with relatively different twists,” the security researchers explain.

Recent Necurs-fueled distribution campaigns were also observed dropping the TrickBot banking Trojan via the same attachments carrying Locky.

Related: Massive Spam Runs Distribute Locky Ransomware

Related: Hackers Used Government Servers in DNSMessenger Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.