Sandworm: a Windows vulnerability being actively exploited in the wild
The Dell SonicWall Threats Research team observed reports of a Malware named GAV: CVE-2014-4114.A (Sandworm) actively spreading in the wild. The Sandworm attacks thorough a vulnerability in Windows known as CVE-2014-4114, patched in Bulletin MS14-060 of Microsoft’s October 2014 Patch Tuesday.
The vulnerability allows an attacker to remotely execute arbitrary code to download and execute INF files thorough a crafted PowerPoint slideshow file (.PPSX). This vulnerability impacting all versions of the Windows operating from Vista SP2 to Windows 8.1
Translated to English:
Office of Prosecutor General of Ukraine established ties between members of Ukrainian congress and pro-Russian rebels. Lead investigator for the Ministry of Internal Affairs of Ukraine submitted information to the unified register of pre-trial investigations concerning theft of funds intended for the ATO (Anti-Terrorist Operation) by officials of Ukraine.
SECURITY SERVICE of Ukraine is conducting investigation of members of congress who supported terrorists.
Infection Cycle:
Md5: 330e8d23ab82e8a0ca6d166755408eb1
The Trojan adds the following files to the system:
- slide1.gif [Executable file renamed to gif named GAV: BlackEnergy.B (Trojan)]
- slides.inf [INF Configuration file]
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce
- Install,,%1%Slides1.gif.exe
The Malware it has two embedded files inside, oleObject1.bin and oleObject2.bin (List of congressmen.ppsx)
These files use drive-by-download technique to download following files from remote server:
- 94.185.85.122/public/slide1.gif
- 94.185.85.122/public/slides.inf
The downloaded files have the innocent-looking names slides.inf and slide1.gif, as though they were part of the presentation itself. Slide1.gif is actually an executable file, and slides.inf is an installer file that renames slide1.gif to slide1.gif.exe before adding a registry entry that will run the offending program when you next logon, after restart the malware execute following commands:
Malware Traffic
Sandworm has communication over port 445 and 80. Uses requests to statically defined IPs are made on a regular basis. These requests such as the following:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- CVE-2014-4114.A