Full Report
In this post we provide additional information on how a specially crafted PowerPoint slideshow file (.PPSX) led to the execution of a BlackEnergy dropper.
Analysis Summary
# Vulnerability: Malicious OLE Object Loading in Microsoft PowerPoint (CVE-2014-4114)
## CVE Details
- CVE ID: CVE-2014-4114
- CVSS Score: Not explicitly provided (Severity inferred as High due to active exploitation in espionage campaigns)
- CWE: CWE-362 (Race Condition) or potentially related to improper resource handling. (The description points to an issue where PowerPoint loaded OLE objects from arbitrary remote paths without warnings, similar to issues addressed by MS12-005.)
## Affected Systems
- Products: Microsoft PowerPoint
- Versions: Not explicitly listed, but affected by the vulnerability related to OLE object loading in PPSX files that bypass warnings addressed by MS12-005.
- Configurations: Specific to crafted `.PPSX` (PowerPoint Show) files containing embedded OLE objects that reference remote locations.
## Vulnerability Description
The vulnerability exists within Microsoft PowerPoint, which, when processing specially crafted `.PPSX` files, failed to issue warning pop-ups when loading embedded OLE objects from arbitrary, untrustworthy network locations. These embedded objects, named `slide1.gif` (a disguised BlackEnergy Lite dropper) and `slides.inf`, were downloaded and executed. The `.INF` file was used to rename the downloaded GIF camouflage file to `slide1.gif.exe` and execute it via a Windows Registry entry. This technique allowed for remote code execution or malware installation via a seemingly safe document open.
## Exploitation
- Status: Exploited in the wild (Used in August 2014 BlackEnergy campaigns targeting Ukrainian interests).
- Complexity: Low (Relies on the user opening a specially crafted spear-phishing attachment).
- Attack Vector: Network (Via spear-phishing attachment)
## Impact
- Confidentiality: High (Allows for dropper execution, leading to potential espionage/data theft).
- Integrity: High (Allows for arbitrary code execution and system compromise).
- Availability: Medium to High (Depending on the secondary payload, likely leading to system disruption or persistent backdoor).
## Remediation
### Patches
- Microsoft released a patch for this vulnerability, recognized as CVE-2014-4114. Users are strongly encouraged to update to eliminate this infection vector. (Specific patch version not listed in the text, but reference is made to the official Microsoft patch for CVE-2014-4114).
### Workarounds
- No specific workarounds were listed beyond applying the patch. (The vulnerability relates to loading external resources without warning, which is typically fixed by patching the core application logic).
## Detection
- Indicators of Compromise: Observation of executable files (`.exe`) being created from renamed image/information files downloaded from network locations upon opening specific PPSX files.
- Detection methods and tools: Standard endpoint detection tools monitoring suspicious `.INF` file execution behavior or network connections initiated by PowerPoint processes attempting to download external resources upon document load.
## References
- Vendor Advisories: Microsoft patch address related to CVE-2014-4114 and advisory MS12-005 (which addressed similar behavior).
- Relevant links:
- Presentation Abstract: hxxps://www.virusbtn.com/conference/vb2014/abstracts/LM3-LipovskyCherepanov.xml
- Previous ESET post: hxxps://www.welivesecurity.com/2014/09/22/back-in-blackenergy-2014/