The Threat

The eSentire Security Operations Center has observed a spear phishing campaign targeting customers in the financial industry. The email claims to originate from the Securities and Exchange Commission, and arrives bundled with a malicious Microsoft Word Document. The document uses Dynamic Data Exchange (DDE) protocol to execute malicious PowerShell code which downloads and executes DNSMessenger malware. If successful, this attack allows the threat actor to interact with the victim’s system.

 

What you should do about it

  • DDE relies on user interaction. As such, staff education is an important step in preventing this attack. We recommend sharing indicators (see below) with users to increase awareness of this threat.
  • Implement spoofed email blocking with Sender Policy Framework or Sender ID.

 

Additional Information

  • Observed Spear Phishing email uses a spoofed [email protected] email address to lure victims into downloading and executing a Microsoft Word attachment (see below). This document contains a malicious Dynamic Data Exchange (DDE) command which attempts to spawn a PowerShell process.
  • Unlike similar spear phishing campaigns, DDE does not use VBA Macros to execute commands.
  • DDE presents the end-user with a message prompt, and requires interaction to execute correctly.
  • Once installed, DNSMessenger malware uses DNS TXT queries to create a bidirectional command and control (C2) channel between the victim and the attacker.

 

Email Indicators

Subject: EDGAR Filings

From: [email protected] (spoofed)

Filings and Forms rules

Dear TARGETNAME,

The SEC's Office is issuing this EDGAR Alert to inform EDGAR members about changes in EDGAR Filings.

Attachment:
Filings_and_Forms.docx

When opened, it presents the user with the following message:

Dialog box reading 'This document contains fields that may refer to other files. Do you want to update the fields in this document?'


Clicking Yes on the pop up will initiate the download of DNSMessenger malware.

 

For additional information, please visit:

http://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html

eSentire Media Contacts

Mandy Bachus | eSentire | [email protected] | +1 519.651.2200 x5226 | @MandyBachus

Angela Tuzzo | MRB Public Relations | [email protected] | +1 732.758.1100 x105 | @MRB_PR

Ready to start the conversation about cybersecurity?
Talk to us today.
Let's Talk