To help understand the full context of this piece of malware, its potential harm, and better defense against such malware, we have conducted a more detailed analysis and share our findings in this article.

The exploit payload involved in this case is a PowerPoint Open XML Slide Show file named spiski_deputatov_done.ppsx. Translated from Russian this name means “complete list of Members of Parliament”. This seems related to the upcoming Ukrainian Parliamentary Elections that are scheduled for October 26, 2014.

When PPS is executed it displays the following image to the user with a list of Ukrainian names:

SW-1

 

Infection Chain:

Targeted Email

9de30fc2533ecfc8e4825d348f861b76

with PPS exploit attachment

PPS exploit

330e8d23ab82e8a0ca6d166755408eb1

downloads slides1.gif

Slides1.gif

8a7c30a7a105bd62ee71214d268865e3

BlackEnergy Trojan

The PPS file contains an embedded OLE object that allows it to download and execute a remote file. Once the PPS file is opened, it will download the two files then executes slides.inf. Slides.inf then renames slide1.gif to slide1.gif.exe and creates a RunOnce entry to execute it at the next system startup. Slide1.gif.exe is a variant of BlackEnergy Trojan, a known backdoor, which has been seen in the wild at least since 2010.

SW-2

This variant of BlackEnergy infiltrates the system by dropping a library file under %APPDATA%\FONTCACHE.DAT. This library has only one export named MakeCache, which is invoked by the infector via calling it through rundll32.exe. The DLL, once started will delete the initial infector (slides1.gif).

FONTCACHE.DAT is packed with a runtime packer. The unpacked payload uses a hash function and a set of hashes to load Win32 API functions to complicate analysis.

The final malware code behaves more like a bot than a worm. Once resident on the machine, it will listen for the following commands from its C&C:

delete – Unregister RPC server and delete files from disk
ldplg – Download and load a plugin
unlplg – Unload a plugin
update – Attach a .bak ending to current executable, download and execute new one
dexec – Fetch binary from server and execute with ShellExecuteA
exec – Fetch binary from server and execute with ShellExecuteA
updcfg – Update own configuration

SW-3

The bot manages its plugins as an RPC server. The following APIs are used: RpcMgmtStopServerListening, RpcServerUseProtseqEpA, RpcServerUnregisterIf, RpcServerRegisterIfEx, RpcServerListen and NdrServerCall2. On Windows XP the malware uses the Startup folder as a means of persistence. A shortcut is created there, named after a hardcoded GUID. The shortcut contains the command “%windir%\System32\rundll32.exe “C:\Documents and Settings\Administrator\Local Settings\Application Data\FONTCACHE.DAT”,MakeCache”, which calls the mentioned singular export of the malicious DLL.

SW-4

Attack context

As you can see from the email below, Attacks using the CVE-2014-4114 have begun in August 2014. Multiple organizations have been targeted.

SW-5

The email is purportedly from Oleh Tyagnibok ( oleh.tiahnybok@vosvoboda.info) . This is his real email account, but we don’t know if it is spoofed or he is actually hacked. Oleh is a presidential candidate and leader of Ukrainian National party (svoboda), a prominent figure in Ukrainian politics.

Furthermore, Cyphort labs found a media website in Ukraine that appears to be infiltrated by the attackers to spread the Powerpoint exploit. The infected presentation was hosted on slideshare, so the site is safe to browse, only downloading the PPS from slideshare and running it on Windows triggers the exploit. http://povin.com.ua/genprokuratura-vstanovila-zvyazku-narodnix-deputativ-ukra%D1%97ni-z-opolchencyami/ [see screenshot below ]

SW-6

Povin website

The translation of the Ukrainian text in the website:
Prosecutor General’s Office has established a connection between members of Parliament of Ukraine and separatist militia. Yatsenyuk [Prime Minister] instructed the Prosecutor General’s Office, Federal Security Service, Ministry of Interior and Ministry of Justice to investigate all MPs, parties and associations in Ukraine in connection with supporting armed militias in the East of the country. The first results of the audit showed some political parties are supporting terrorists.

Slideshare A social media account has also been setup to promote this in Russian version of Facebook ( VKotnakte) http://vk.com/wall-23335217_1311 [ still live ]500+ have viewed the slideshare so far. iSight Partners initially discovered this attack , attributed it to Russia and dubbed it Sandworm

Conclusions

Despite its name Sandworm is not a worm, as it does not self-propagate. It is a targeted attack using a local file format exploit, and requires a user to open a malicious file. In addition to the exploit used, this malware gives malicious indicators from both its behavior on the attacked system and from its C&C activities. Customers can protect themselves with a threat monitoring & mitigation solution that inspects this object through static analysis, network and system behavior. I would like to thank Marion Marschalek and Paul Kimayong from Cyphort Labs team for their help with the analysis.