You are here

Home:Blogs:Ebola Spreads - In Cyber Attacks Too
X-Labs
October 23, 2014

Ebola Spreads - In Cyber Attacks Too

Ulysses Wang
Email Security Exploit Vulnerability Zero Day

The Ebola virus has been spreading in West Africa since first appearing in Guinea in December, 2013. Its rising rate of infection, high mortality rate, and challenging isolation and containment requirements have raised world-wide alarm. 

Against that backdrop, Websense® Security Labs has found two distinct malicious campaigns that take advantage of the Ebola issue, and it's probably safe to assume that the topic will continue to be abused in the future.

DarkKomet RAT/Backdoor Campaign

Beginning October 10, 2014, Websense® ThreatSeeker® Intelligence Cloud has detected thousands of malicious emails taking advantage of the Ebola topic. The subject line is:

  • Subject: Ebola Safety Tips-By WHO

At the beginning of the campaign, the messages contained a redirect URL that led victims to a download location for a RAR archive. The archive contained the DarkKomet RAT/Backdoor. DarkKomet is a Remote Administration Tool (RAT) that provides full access to remote clients. It is used by attackers to control the victim's computer and steal information. In more recent emails, the campaign evolved to include direct attachment of executables, and then to direct attachment of a RAR archive containing the executable. The sample below shows the RAR attachment variant.

Email

The malware in this campaign contacted a server located in Romania: 5.254.112.46:1604

ThreatScope has identified malware samples as malicious. Here are two file variants in the campaign:

SHA1 : e2bdede8375da63998562f55a77d4b078d3b5646     ThreatScope Analysis Report : Link

SHA1 : 91ff874eb5bde1bb6703e01d7603d3126ddd01fc       ThreatScope Analysis Report : Link

CVE-2014-4114 & CVE-2014-6352 - Windows OLE Remote Code Execution Vulnerabilities

On October 14, 2014, iSIGHT discovered vulnerability CVE-2014-4114, used in the Sandworm campaign that targeted NATO, the European Union, and members of the Telecommunications and Energy sectors. CVE-2014-4114 can allow remote code execution if a user opens a specially crafted Microsoft Office file containing an OLE object. The vulnerability is in all supported releases of Microsoft Windows, excluding Windows Server 2003. Because the vulnerability does not involve memory corruption that can result in shellcode, and because it is in the category of 'design error', protection methods like DEP and ASLR are not effective. Example exploit code for CVE-2014-4114 has been spotted posted on the web. Criminal actors could potentially use it to build a vulnerable PowerPoint file to spread the malware. Also, shortly after the disclosure of CVE-2014-4114, a very similar vulnerability that also targets OLE objects, surfaced  and is described as CVE-2014-6532. While CVE-2014-4114 has been patched by Microsoft, CVE-2014-6532 still awaits a patch.

Websense® Security Labs has noticed that the Ebola topic has been abused in relation to CVE-2014-4114. A sample from a third-party source, named "Ebola in American.pps", was leveraging CVE-2014-4114 to download and execute a payload from a remote address via the SMB protocol, which most of the time isn't allowed to connect to public Internet addresses.

  • \\220.135.249.228\public\install.inf
  • \\220.135.249.228\public\word.exe

It is possible to detect CVE-2014-6352 using Yara. Here is a Yara rule that can be run against Microsoft Office files to surface the vulnerability. The rule could use a bit of tweaking and expanding to include INF files:

rule cve_2014_6352

{
strings:

        $rootentry = {52 00 6F 00 6F 00 74 00 20 00 45 00 6E 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00}

        $ole10native = {4F 00 ( 4C | 6C ) 00 ( 45 | 65 ) 00 31 00 30 00 4E 00 61 00 74 00 69 00 76 00 65 00 00}

        $c = "This program cannot be run in DOS mode"

condition:

     ($rootentry or $ole10native) and $c

}

 

Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the different stages of the attack detailed below:

  • Stage 2 (Lure) – ACE protects against lure email messages and URLs containing the threat.
  • Stage 4 (Exploit) – ACE has real-time detection for exploit code that attempts to deliver the threat.
  • Stage 5 (Dropper) – ACE has detection for the malicious files delivered by this threat.
  • Stage 6 (Call Home) – ACE detects the communication to the associated C&C points associated with this threat.

 

Blog contributors: Ulysses Wang, Ran Mosessco, Nicholas Griffin.

Editor’s note: All published links found to be broken, obsolete or otherwise inactive are subsequently removed from existing entries.

UW

Ulysses Wang

Read more articles by Ulysses Wang

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.
Learn more about Forcepoint