Locky ransomware is using new attack methods in a move to avoid any kinds of detection and so it can improve its infection rate.
One of the methods to avoid detection is using the Dynamic Data Exchange (DDE) protocol, designed to allow Windows applications to transfer data between them. Consisting of a set of messages and guidelines, it uses shared memory to exchange data between applications.
That being said, attacker uses DDE with Office documents and automatically run malware without the use of macros. DDE, which allows an Office application to load data from another Office application, was replaced by Microsoft with Object Linking and Embedding (OLE), but continues to be supported.
Locky adopted the use of Office documents and DDE for infection, said ISC Handler Brad Duncan said on SANS ISC InfoSec Forum. Delivered through spam emails originating from Necurs, the documents attached to messages posing as invoices.
The analyzed attack used a first-stage malware that achieved persistence on the compromised system. The Locky binary, on the other hand, was deleted post-infection.
The use of DDE for infection, however, is only one of the methods Locky employs.