CVE-2014-4114 and an Interesting AV Bypass Technique
Last Updated: 2015-06-16 19:22:45 UTC
by John Bambenek (Version: 1)
Citizenlabs recently reported on a CVE-2014-4114 campaign against pro-democracy / pro-Tibetian groups in Hong Kong. The attacks happening should not surprise anyone, nor that the attacks were sophisticated. The vulnerability itself was patched with MS14-060 and has been used by APT and crime groups for sometime. Trend Micro wrote a good write-up of the issue here.
What is interesting is what, in effect, is an anti-virus bypass that was employed by the actors. This bypass was discussed in this report (disclaimer, from my day job). In short, when CVE-2014-4114 exploit code was put into a .ppsx file generated by the exploit kit, it triggered AV. When the same file was saved as a .pps file, those same AV engines stop detecting it. The ppsx file format (Powerpoint slideshow format / XML) is the more modern format. The .pps format was used in Office 97-2003 using the OLE format. Even though AV engines stop detecting the malicious document, the exploit code ran without issue.
The first takeaway is, obviously, patch your systems and it is surprising how many targeted political organizations seem vulnerable to exploits that have had patches out for months.
The second is, the same malicious code may be represented differently in different file types and its important to get coverage of those other formats to ensure complete protection.
bambenek \at\ gmail /dot/ com