A Chinese Group known as KeyBoy is targeting US companies with a specifically crafted Microsoft documents that uses the Dynamic Data Exchange (DDE) protocol to fetch/download remote malicious payloads. Michael Patterson, CEO at Plixer commented below.
Michael Patterson, CEO at Plixer:
“IT teams must be continuously vigilant and employees need to be alerted to this latest espionage threat. Employees should be extra careful not to click on a Microsoft Word Document, especially if it is received from someone they don’t know. Even when it is received from someone familiar, a quick call should be placed to confirm the document is real. In the case of KeyBoy’s specially crafted Microsoft Word document, a list of indicators of compromise (IoC) has been published. Network traffic analytics platforms, employing anomaly detection and historical forensic data, provide a mechanism to proactively monitor for the existence of these IoCs. KeyBoy’s attack blocks all notifications when the malware is loaded, making traffic monitoring the most effective mechanism of identifying the breach.”