Weaponized Powerpoint in the Wild
This post was written by Jaeson Schultz.
On October 14th information related to a new Windows vulnerability, CVE-2014-4114, was published. This new vulnerability affects all supported versions of Microsoft Windows. Windows XP, however, is not affected by this vulnerability. The problem lies in Windows’ OLE package manager. When triggered it allows for remote code execution.
In this case, attackers crafted a malicious Powerpoint document. Upon execution the Powerpoint document would extract two embedded OLE objects: a .inf file, and another executable. The .inf file is used to make changes to the host system, and launch the malicious executable. A key is added to the registry to keep the malware running after a system restart. While it has been alleged that this specific attack was initially used by threat actors in a specific region, Cisco Talos expects other attackers to begin using this technique as well because of the simplicity of the attack vector.
Here is a list of the IP address Indicators of Compromise:
The malicious Powerpoint document has a SHA256 hash value of:
Advanced Malware Protection (AMP) customers are protected from this threat. Similarly, customers deploying Cisco IronPort Web Security Appliances (WSA) and users of Cisco Cloud Web Security (CWS) are also protected. Customers using Cisco IronPort Email Security Appliance (ESA) are protected from malicious attachments exploiting this vulnerability. Snort signatures 32186 and 32187 provide coverage for this vulnerability.