Despite the availability of fixes related to the Sandworm vulnerability (CVE-2014-4114), we are still seeing new attacks related to this flaw. These attacks contain a new routine that could prevent detection.
A New Evasion Technique
In our analysis of the vulnerability, we noted this detail:
“…[T]he vulnerability exists in PACKAGER.DLL, which is a part of Windows Object Linking and Embedding (OLE) property. By using a crafted PowerPoint document, an .INF file in embedded OLE object can be copied from a remote SMB share folder and installed on the system. Attackers can exploit this logic defect to execute another malware, downloaded via the same means.”
In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS).
The Infection Chain
One sample we came across was part of an attack targeting an email provider. The attackers used a spoofed email to convince the recipient to open the attachment.
Figure 1. Spoofed email message
The attachment is a .PPSX file—a Microsoft PowerPoint presentation with the embedded file.
Figure 2. Slide with embedded malicious file
A Closer Look
Similar to samples discussed in previous entries, this sample also contains 2 OLE objects, oleObject1.bin and oleObject2.bin. Taking a closer took at the OLE objects will show that the malicious EXE and INF are embedded in the objects.
Figure 3. oleObject1.bin showing the embedded EXE file
Figure 4. oleObject2.bin showing the embedded INF file
Viewing the OLE objects using an OLE viewer will show two streams, the ComObj stream and the Ole10Native stream, where the malicious files are embedded. Looking at the CompObj will tell us that the data Ole10Native stream is written by OLE Packager. This means that the embedded EXE and INF files are treated as packages and can be triggered or installed directly into the system using this vulnerability.
Figure 5. Ole10Native stream is written by OLE Packager
When the PowerPoint file is opened, the Packager module (packager.dll) reads the information in the OLE objects then drops the contents slide1.gif and slides.inf to the %Temp% folder.
It will then invoke InfDefaultInstall.exe to install the file slides.inf. INF files are usually used by Windows to install drivers. In this particular instance, the job of slides.inf is to rename the file slide1.gif to slide1.gif.exe then execute it using the RunOnce registry entry.
Figure 6. Registry entry
The following image shows what the process flow looks like:
Figure 7. Process flow of the attack
We detect the crafted PowerPoint file including the slides.inf as as TROJ_MDROP.ZTBJ. The final payload, slide1.gif, is detected as TROJ_TALERET.ZTBJ-A, a known malware family used in targeted attacks involving different Taiwanese industries and government organizations.
Users are strongly advised to patch their systems with the patch for the vulnerability (MS14-060). This incident also highlights the importance of applying all patches as soon as they are available. In this instance, a vulnerability patch from 2012 (MS12-005 patch) can provide a preventive measure against attacks. The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file. Lastly, it is recommended for users and employees not to open PowerPoint files from unknown sources as this may possibly lead to malware infection.
SHA1 of the sample mentioned in this entry:
Additional insights from MingYen Hsieh, Tim Yeh, Chingo Liao, Lucas Leong, Vico Fang, and Shih-hao Weng.