The technique abuses Dynamic Data Exchange (DDE), a feature to execute code stored in another file and that also allows apps to send updates as new data becomes available. The method may allow the installation of malware without detection by anti-virus programs.
In a blog post published Tuesday, Trend Micro researchers said Fancy Bear was sending a document titled IsisAttackInNewYork.docx that abused the DDE feature. Once opened, the file connects to a control server to download a first-stage of piece of malware called Seduploader and installs it on a target's computer. DDE's potential as an infection technique has been known for years, but a post published last month by security firm SensePost has revived interest in it. The post showed how DDE could be abused to install malware using Word files that went undetected by anti-virus programs.Before the malicious payload can be executed, users will have to click two warning screens in Office. Microsoft posted a security advisory over here, it includes some mitigation tips.
Via: ARS Technica