New Microsoft Word attacks infect PCs sans macros

https://arstechnica.com/information-technology/2017/11/russia-linked-fancy-bear-attacks-abuse-macro-less-ms-word-to-infect-pcs/


Fancy Bear, the advanced hacking group researchers say is tied to the Russian government, is actively exploiting a newly revived technique that gives attackers a stealthy means of infecting computers using Microsoft Office documents, security researchers said this week.

Fancy Bear is one of two Russian-sponsored hacking outfits researchers say breached Democratic National Committee networks ahead of last year's presidential election. The group was recently caught sending a Word document that abuses a feature known as Dynamic Data Exchange. DDE allows a file to execute code stored in another file and allows applications to send updates as new data becomes available.

In a blog post published Tuesday, Trend Micro researchers said Fancy Bear was sending a document titled IsisAttackInNewYork.docx that abused the DDE feature. Once opened, the file connects to a control server to download a first-stage of piece of malware called Seduploader and installs it on a target's computer. DDE's potential as an infection technique has been known for years, but a post published last month by security firm SensePost has revived interest in it. The post showed how DDE could be abused to install malware using Word files that went undetected by anti-virus programs.

A day after Trend Micro published its report about Fancy Bear, Microsoft posted an advisory explaining how Office users can protect themselves from such attacks. The easiest way to stay safe is to remain wary of unfamiliar messages that get displayed when opening a document. As SensePost first disclosed, before the DDE feature can be used, users will see a dialog box that looks something like the following:

(had to stop to comply with DU ToS, lots of good comments at the article)