Locky Ransomware Distributed via DDE Attack

Locky ransomware has recently changed its attack techniques again, trying to evade detection and improve the infection rate.

Among the new methods of distribution is the use of Dynamic Data Exchange (DDE) protocol which allows Windows applications to transfer data between them.

The DDE protocol features a set of messages and guidelines and uses shared memory to exchange data between applications.

Hackers found how to use DDE with Office documents and automatically run malware without using macros.

The DDE, which lets an Office application load data from another Office application, continues to be supported, although it was replaced by Microsoft with Object Linking and Embedding (OLE).

Some time ago, security experts noticed the same technique which was employed by the FIN7 hacking group in the DNSMessenger malware attacks.

According to the Internet Storm Center (ISC) handler Brad Duncan, it could also be associated with a Hancitor malware campaign that was registered last week.

Duncan says that Locky has also adopted the use of Office documents and DDE for infection. They were attached to messages disguised as invoices and delivered via spam emails originating from Necurs.

The analyzed attack used a first-stage malware which achieved persistence on the compromised system. On the other hand, the Locky binary was deleted post-infection.

Nevertheless, the use of DDE for infection is only one of the methods employed by the Locky ransomware.

According to Trend Micro, Necurs also distributed the threat via HTML attachments disguised as invoices, Word documents embedded with malicious macro code or Visual Basic scripts (VBS), malicious URLs in spam emails, and VBS, JS, and JSE files archived via RAR, ZIP or 7ZIP.

Recently, the researchers observed Necurs-fueled distribution campaigns which were dropping the TrickBot banking Trojan via the same attachments carrying the Locky ransomware.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.