At least two groups of attackers are continuing to take advantage of the recently discovered Sandworm vulnerability in Windows by using an exploit that bypasses the patch. The vulnerability came to light following its exploit by a group known as Sandworm, but there is now some evidence to suggest that at least one of these other groups was aware of its existence before its disclosure on October 14.
As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection. These malicious attachments are detected by Symantec as Trojan.Mdropper. The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and Backdoor.Darkmoon (also known as Poison Ivy).
The group using Taidoor is a well-established threat actor that has been in operation since at least 2008. It has a track record of exploiting recently discovered zero-day vulnerabilities in its attacks. Most recently, in March, it exploited a Microsoft Word zero-day bug in attacks against government agencies and an educational institute in Taiwan.
What’s more disturbing is the Darkmoon variant. Clues indicate that it may have been ready for use in September, several weeks prior to the disclosure of the original Sandworm vulnerability (CVE-2014-4114). The payload compilation timestamp is September 10, while the infected PowerPoint document was last modified on September 12. Payload command-and-control activity was detected on September 24.
It must be noted that Symantec has not observed the payload delivery date and the attackers could have a misconfigured computer which created false timestamps. However, the correlation of the three timestamps provides a higher probability that the group had access to the vulnerability before October 14.
Figure 1. Compromised PowerPoint files exploiting Sandworm vulnerability
Microsoft is aware of the vulnerability and has issued a new security advisory warning users of possible attacks. The company has yet to release a patch for this latest issue, which is being tracked as the Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-6352).
The original Sandworm vulnerability, the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), relates to how Windows handles OLE, a Microsoft technology that allows rich data from one document to be embedded in another or a link to a document to be embedded in another. OLE is generally used for embedding locally stored content, but this vulnerability enables the unprompted download and execution of external files. It allows attackers to embed Object Linking and Embedding (OLE) files from external locations. The vulnerability can be exploited to download and install malware on to the target’s computer.
While the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them.
The new vulnerability affects all supported releases of Microsoft Windows, excluding Windows Server 2003. Microsoft has produced a Fix it solution to address known exploits. Windows users are advised to exercise caution when opening Microsoft PowerPoint files or other files from untrusted sources. It is also recommended that the User Account Control (UAC) be enabled, if it is not already enabled.
Symantec customers are protected against the malware being used in attacks exploiting this vulnerability with the following detections.
Investigation into this threat is ongoing and further protection will be introduced if required.
Symantec's DISARM technology, which ships with Symantec Message Gateway version 10.5 and later, correctly blocks payloads that exploit the Sandworm vulnerability. As DISARM does not utilize signatures, customers running it would have been protected even prior to the disclosure of the vulnerability.
Symantec recommends that users keep their security solutions up-to-date and exercise caution when opening attachments found in unsolicited emails. Symantec customers that use the Symantec.Cloud service are protected from spam messages used to deliver malware. For the best possible protection, Symantec customers should also ensure they use the latest Symantec technologies incorporated into our consumer and enterprise solutions.
Update – October 24, 2014:
The intrusion prevention signature (IPS) Web Attack: Microsoft OLE RCE CVE-2014-6352 and the heuristic detection Bloodhound.Exploit.553 have been put in place to protect users against this threat. The blog has been updated accordingly.