Malware exploits unpatched Microsoft Office Word DDE

by Tomas Statkus - -

A recently discovered hacking technique is being used in a range of widespread malware attacks. The method exploits a vulnerability of a built-in feature of the MS Office software.

malware exploits microsoft officeThe Hacker News announced how attackers are able to leverage Dynamic Data Exchange (DDE), an old MS Office feature, in order to perform malware execution on the victim’s machine. MS applies DDE protocol so multiple running applications share the same information.[1]

DDE is being employed by many apps such as MS Word, Excel, Quattro Pro.DDE does not pop up any security notifications or warnings to compromised users but asks victims wheatear they want to carry out the app specified in the command. However, this notification can also be blocked and eliminated.

Once the details of DDE attack method were published, the security firm Cisco’s Talos disclosed the information about DNSMessenger, Trojan (RAT), which uses the same attack method in order to target businesses.[2]

DDE is exploited by Necurs Botnet

Necurs Botnet currently controls more than 6 million compromised computers in the world. Necurs sends spam emails with attached MS Word file that leverage the DDE attack method in order to spread Locky ransomware and TrickBot Trojan.

According to security researchers at Symantec:[3]

What’s interesting about this new wave is that the downloader now contains new functionality to gather telemetry from victims. It can take screen grabs and send them back to a remote server. There’s also an error-reporting capability that will send back details of any errors that the downloader encounters when it tries to carry out its activities.

DDE is exploited by the Hancitor malware

One more malware campaign has been detected distributing Hancitor malware, according to SAMS ISC InfoSec. The Hancitor malware is also known as Chanitor and Turdal and is also distributed by applying the MS DDE exploit.[4] 

The malware installs into infected device payloads, such as Trojans, data theft malicious programs and ransomware.

Protect your device from DDE attacks

DDE is a legitimate MS Office feature and Internet security software neither sends any warnings or notifications nor blocks or remove MS Office malicious documents. MS also is not willing to patch the feature.
So, the protection against DDE attacks is on you.

Do not open uninvited MS Office documents, or click on links or download attached programs, from unverified and suspicious senders.

In addition, you should disable the “update automatic links at open” in the MS Office apps. 

About the author

Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions


now online
Like us on Facebook