Posts

Method: Windows Malware – ThreatKit

March 25th – Researchers at Proofpoint have discovered a new type of exploit kit, called ThreatKit, that allows attackers to craft malicious Office Documents and attempt to exploit CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The Word Document comes with an embedded executable that is decoded as a result of successful exploitation of the system. In some instances with successful exploitation, once the embedded executable is extracted, a separate decoy document is opened. The message of the decoy documents that were provided by Proofpoint contained the following text:

“Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience.”

The spam campaigns tracked by Proofpoint that use this exploit kit result in various forms of banking malware being installed on the system.

Technical analysis of campaign – https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

Proficio Threat Intelligence Recommendations:

  • Validate the proper Microsoft Office patches have been applied by checking the Microsoft Tech Center for advisories around CVE-2017-8570 , CVE-2017-11882 , and CVE-2018-0802.
  • EDR products such as CarbonBlack look for abuse of the various components used in this campaign such as abnormal use of MSHTA. Validate your endpoint solution can detect and prevent the activity in this article.

Sandworm – Microsoft Windows Zero-day Vulnerability

What is it?

CVE-2014-4114 (aka “Sandworm”): A zero-day vulnerability that allows an attacker to remotely execute arbitrary code.

Who is vulnerable?

Sandworm is a zero-day impacting all versions of Microsoft Windows from Vista SP2 up to Windows 8.1, as well as Windows Server 2008 and 2012.

Where has it been seen?

Used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

How does it work?

Non-technical: opening a specially crafted file will allow the remote code execution. This has been seen with Powerpoint files in the wild.

Technical: “The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands.”
[copied from source: http://www.isightpartners.com/2014/10/cve-2014-4114/ ]

Additional Notes:

Microsoft classified MS14-060 as “important”, not “critical”, because the attack requires a user to open a file.

Security Operations Center Recommendations:

Update all vulnerable systems as soon as possible. Microsoft Bulletin MS14-060 fixes this bug: https://technet.microsoft.com/library/security/ms14-060

Additionally, Microsoft has released a total of eight security bulletins and updates that address them as of October 14, 2014. In total, 24 vulnerabilities are addressed in the updates. Three of them are classified as critical. More information can be found here: https://technet.microsoft.com/library/security/ms14-oct