- Copy file from remote shared folder
- Install downloaded .INF fileWe analyzed the PPSX sample (MD5 hash: 330e8d23ab82e8a0ca6d166755408eb1) to investigate how it happens. We unzip the .PPSX file file to see the content files of this PPT exploit as seen below:
Figure 1. Folder structure of PPSX fileThe following is the content of oleObject1.bin and oleObject2.bin. It indicates that the said OLE objects are resident in remote shared folder.
Figures 2-3 Content of oleObject1.bin and oleObject2.binAnd in slide1.xml, we can see it refer to two Packager Shell Object “rId4” and “rId5."
Figure 4. Content of slide1.xml (part 1)In slide1.xml.resl, “rId4” and “rId5” are defined as two OLE object above.
Figure 5. Content of slide1.xml.reslWhen slide1 is opened, the files “slide1.gif” and “slides.inf” are copied to local by packager.dll. And in slide1.xml, some actions are described such as “-3”, and another is “3”. These two actions are called when loading two OLE objects. This routine is seen in packager!CPackage::DoVerb() function.
Figure 6. Content of slide1.xml (part 2)In slide1.gif, if the parameter is “-3”, and the function will do nothing. However, if “slides.inf” is loaded and the parameter is “3”, it installs the .INF file. The screenshot below is the call stack when InfDefaultInstall.exe is executed:
Figure 7. Call stack of INF installationAfter which, INF renames slide1.gif to slide1.gif.exe, and adds registry runonce value for it. This is done so that in the next system boot up, the Trojan is executed automatically. We detect the exploit as TROJ_MDLOAD.PGTY, which in turn leads to the download of INF_BLACKEN.A when successfully exploited. This malware, on the other hand, downloads and executes the backdoor, which we detect as BKDR_BLACKEN.A. Because of this vulnerability are not arduous to exploit, attackers may abuse this so as to create new malware payload. Trend Micro secures users from this threat via detecting the exploit and malware payload via its Smart Protection Network. Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect user systems from threats that may leverage this vulnerability via the following DPI rules:
- 1006290 - Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)
- 1006291 Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) - 1