Cybersecurity Alert: North Korean Trojan Malware and Microsoft DDE Security Advisory

November 16, 2017

North Korean Trojan Malware (Volgmer)

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) released a joint technical alert on Monday, November 14 regarding malicious cyber activity by the North Korean government referred to as HIDDEN COBRA. The alert identified IP addresses and other indicators of compromise connected to a backdoor Trojan malware variant commonly known as Volgmer. The DHS and FBI suspect that spear phishing is the primary delivery mechanism for Volgmer infections. Volgmer allows hackers to gain complete control of computer systems. The malware has targeted the government, financial, automotive, and media industries.

For a full list of IOCs, see the United States Computer Emergency Readiness Team's (US-CERT) alert.

Microsoft DDE Security Advisory

Microsoft released a security advisory on Wednesday, November 8 that provides guidance for securely opening Microsoft Office documents containing Dynamic Data Exchange (DDE) fields. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. In a phishing attack, an attacker could send an email to victims and convince them to open the file containing DDE fields. If the user disables the Protected Mode and clicks through additional prompts, it could trigger a malware infection. This attack is similar to macro-based attacks, however the Microsoft Trust Center controls that limit macro capabilities are ineffective in preventing DDE-based attacks. 

Threat Details

Volgmer malware as well as Microsoft's DDE protocol are delivered through phishing emails that prompt recipients to open attachments. However, unlike most file attachment threats, these attachments are not delivered by macro-enabled documents and may not be blocked by spam filters. Once a user opens the file, they will be asked to allow the remote content to be updated.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures to prevent an attack that leverages Volgmer malware or Microsoft's DDE protocol:

Staff should be advised to:

  • Be wary of unsolicited emails that include attachments
  • Never enable macros or remote content on documents you were not expecting
  • Never share email or network credentials with sites outside of your firm
  • Consult IT staff when in doubt

Information Technology staff should be advised to:

  • Block outbound and inbound connections to the list of foreign IP addresses provided by the US-CERT alert
  • Block inbound and outbound connections to countries not ordinarily associated with business dealings
  • Ensure macro enabled documents are disabled by Group Policy (controls what users can and cannot do on a computer system)
  • Determine if DDE can be detected and/or blocked by your endpoint security tools

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.