Attackers bypass Sandworm patch with new 0-day

The Sandworm vulnerability has been patched, but unfortunately attackers have discovered a way to bypass the patch and continue with their targeted attacks.

“As with Sandworm, these attacks once again used infected PowerPoint documents, sent as email attachments, as the means of infection,” Symantec researchers warn. “The attacks are being used to deliver at least two different payloads to victims, Trojan.Taidoor and Backdoor.Darkmoon (also known as Poison Ivy).”

The former can be linked to a cyber espionage group that has a track record of exploiting zero-day vulnerabilities in its attacks and has recently targeted Taiwanese government agencies and an educational institute.

The latter is a widely used backdoor, but this particular variant seems to have been created before the first Sandworm attacks have been spotted, leading researchers to speculate that the attackers had access to the vulnerability before October 14.

“While the original vulnerability (CVE-2014-4114) involved embedded OLE files linking to external files, the newer vulnerability (CVE-2014-6352) relates to OLE files that have the executable payloads embedded within them,” they explained.

There is still no patch for this second one, but Microsoft has offered a Fix It and workarounds for blocking known attack vectors. They also advise users not to open Microsoft PowerPoint files or any other Office files received or downloaded from untrusted sources. The vulnerability affects all supported Windows versions.

“In this new attack, the malicious .EXE and .INF files are already embedded into the OLE object, rather than downloading the malware in a remote location. One advantage of this approach is that it will not require the computer to connect to the download location, thus preventing any detection from the Network Intrusion Prevention System (NIPS),” Trend Micro threats analyst Ronnie Giagone noted, and shared the technical aspects of the attack.

He also pointed out that an old patch released in 2012 by Microsoft could prevent the attacks from succeeding. “The presence of this specific patch alone can deter attacks as the message can alert recipients into the suspicious nature of the file before opening said malicious file.”

Trend Micro and iSight Partners have also been monitoring the activities of the Sandworm team, and say that the attackers are targeting industrial control systems (ICS), WinCC, Siemens HMI and SCADA software.

Don't miss