InQuest Blog

Microsoft Office DDE SEC OMB Approval Lure

Posted on 2017-10-14 by Pedram Amini

In reviewing the results of our Microsoft Office DDE malware hunt, (Microsoft_Office_DDE_Command_Execution.rule) we came across an interesting lure posing as an SEC Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.

Microsoft Office DDE Vortex Ransomware Targeting Poland

Posted on 2017-10-13 by Pedram Amini

Unfortunately, it appears that ransomware authors are now starting to employ the use of Microsoft Office DDE malware carriers. This post will likely be our last on DDE dissection and covers the delivery of Vortex ransomware, seemingly targeted towards Poland.

Microsoft Office DDE Freddie Mac Targeted Lure

Posted on 2017-10-13 by Pedram Amini

In reviewing the results of out Microsoft Office DDE malware hunt, (Microsoft_Office_DDE_Command_Execution.rule) we came across an interesting sample targeted to Freddie Mac employees. This post dives into the dissection of this well put together sample.

Microsoft Office DDE Macroless Command Execution Vulnerability

Posted on 2017-10-13 by Pedram Amini

On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE).

Blog Archive

2023
- March
  - Credential Caution: Exploring the New Public Cloud File-Borne Phishing Attack
  February
  - You’ve Got Malware: The Rise of Threat Actors Using Microsoft OneNote for Malicious Campaigns
  January
  - ThreatIngestor Release v1.0.2
  - At Least 4 New Reasons Every Day To Check Your Email Security Stack

2022
- December
  - The Importance of Email Hygiene
  - Black Basta: Riding the Crimeware Sleigh
  November
  - Don’t Get Caught Under The MistleTOAD
  October
  - Hiding in the XML
  September
  August
  July
  June
  - GlowSand
  - Follina, the Latest in a Long Chain of Microsoft Office Exploits
  May
  - Tandem Espionage
  - Detection Multiplexing
  April
  March
  - Cloud Atlas Maldoc
  February
  - Dangerously thinBasic
  - +380-GlowSpark
  January
  - 2022-01 AsyncRAT
  - Analysis of a Remcos RAT Dropper

2021
- December
  - Log4Shell
  - (Don't) Bring Dridex Home for the Holidays
  November
  - Graphical Lures In The Age of Cybercrime.
  - Adults Only Malware Lures
  October
  - How Email Works
  - Advanced Qbot Downloader
  September
  - Rechnung Financial Malspam
  - CVE-2021-40444
  August
  - The Trystero Project
  - Kimsuky Espionage Campaign
  July
  - Espionage Utilizing Mobile Devices
  - IcedID: 07.07.21
  June
  May
  - PSChain
  - Dive Into Cobalt Strike
  April
  - An Exploration and Explanation of Randomized Parameter Optimization
  - Unearthing Hancitor Infrastructure
  March
  - InQuest & MalwareBazaar Integration
  - Mail Provider Comparison
  February
  - Cracking Password Protected Payloads
  January
  - Carving Images for Leisure and Gain
  - String Encoding and YARA... Oh My

2020
- December
  - Social Engineering Attacks And E-mail Security
  - Clustering for Classification: Using Unsupervised Learning for Label Expansion
  November
  - The Trystero Project: A Comparison of Mail Providers
  - SOC-Class: Use Case Development
  October
  - Cybersecurity Awareness Month
  - Cerbero Suite: The Hacker’s Multitool
  September
  - InQuest Labs Year in Review
  - IQ-FA009:QBot OOXML
  August
  - Detection in Depth
  - Persian Kitties Hiding Benign Executables
  July
  June
  - Get The Most Out Of Your IoC: The Beginner’s Guide
  May
  April
  - Deep File Inspection for Data Leakage
  March
  - COVID-19 Scare Tactics: Want to buy some masks?
  - Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros
  February
  - Reverse Engineering on Windows: A Focus on Malware
  - Hiding In Plain Sight
  January
  - Pyramid of Pain Vs. The Iceberg of Inspection
  - Internship Retrospective

2019
- December
  - Threat Hunting On Your Own Network With InQuest
  - Ransomware in Your Stocking
  November
  - Holiday Blog: Tis' the Season
  - Field Notes: Multistage Maldoc Delivers Executable Masked as JPG
  October
  - Base64 Encoded Regular Expressions for Fun and Profit
  - Programmatic Interaction with InQuest Labs via Python
  September
  - Adobe XMP: Tales of an Overlooked Anchor
  - Advanced Support for the SOC Hunter
  August
  July
  - Base64 Encoded Powershell Pivots
  - Emotet, Unmasking via Machine Learning
  June
  - YARA For Everyone: Sharing is Caring
  May
  - Abusing Registration-Free COM Interop
  April
  - Analysis of an Interesting Malicious HTA File
  March
  - Making a Twitter Bot with ThreatIngestor
  - Analyzing Sophisticated PowerShell Targeting Japan
  February
  - Family Matters: Using MinHash to Cluster Data
  - Quick Analysis of A Customer Malspam Encounter
  January
  - Extracting "Sneaky" Excel XLM Macros
  - Detecting Empire with InQuest

2018
- December
  - Ex Machina: A Frolic through the Forests
  - Short-Circuiting Boolean Operators in YARA
  November
  - Ex Machina: Man + Machine
  September
  - Stringless YARA Rules
  July
  - Field Notes: Malicious HFS Instances Serving Gh0stRAT
  May
  April
  March
  - InQuest Provides Zero-Day Coverage Against Advanced Threats via Partner Exodus Intel
  - Defense in Depth: Detonation Technologies
  February
  - An Introduction to Deep File Inspection
  - Adobe Flash MediaPlayer DRM Use-After-Free Vulnerability
  January
  - InQuest Deployed by DISA in the Joint Regional Security Stack (JRSS)

2017
- October

Blog Tags

Subscribe to InQuest Insider