Sandworm: a Windows vulnerability being actively exploited in the wild


The Dell SonicWall Threats Research team observed reports of a Malware named GAV: CVE-2014-4114.A (Sandworm) actively spreading in the wild. The Sandworm attacks thorough a vulnerability in Windows known as CVE-2014-4114, patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.

The vulnerability allows an attacker to remotely execute arbitrary code to download and execute INF files thorough a crafted PowerPoint slideshow file (.PPSX). This vulnerability impacting all versions of the Windows operating from Vista SP2 to Windows 8.1

Translated to English:

Office of Prosecutor General of Ukraine established ties between members of Ukrainian congress and pro-Russian rebels. Lead investigator for the Ministry of Internal Affairs of Ukraine submitted information to the unified register of pre-trial investigations concerning theft of funds intended for the ATO (Anti-Terrorist Operation) by officials of Ukraine.

SECURITY SERVICE of Ukraine is conducting investigation of members of congress who supported terrorists.

Infection Cycle:

Md5: 330e8d23ab82e8a0ca6d166755408eb1

The Trojan adds the following files to the system:

  • slide1.gif [Executable file renamed to gif named GAV: BlackEnergy.B (Trojan)]
  • slides.inf [INF Configuration file]

The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
  • Install,,%1%Slides1.gif.exe

The Malware it has two embedded files inside, oleObject1.bin and oleObject2.bin (List of congressmen.ppsx)

These files use drive-by-download technique to download following files from remote server:


The downloaded files have the innocent-looking names slides.inf and slide1.gif, as though they were part of the presentation itself. Slide1.gif is actually an executable file, and slides.inf is an installer file that renames slide1.gif to slide1.gif.exe before adding a registry entry that will run the offending program when you next logon, after restart the malware execute following commands:

Malware Traffic

Sandworm has communication over port 445 and 80. Uses requests to statically defined IPs are made on a regular basis. These requests such as the following:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • CVE-2014-4114.A
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.