Fidelis Threat Advisory #1017
Phishing in Plain Sight
Fidelis Cybersecurity analysis has identified unrelated cyber criminal activity leveraging the vulnerability cited in CVE-2014-4114, which was initially exploited by advanced persistent threat (APT) actors in October 2014. Notably, some of this recent activity demonstrated actors implementing a technique that bypassed antivirus detection by saving a PowerPoint document in which malware executed once the document was opened in Slide Show presentation format. The identification of cyber crime actors, particularly Nigerian 419 scam operators, attempting to exploit CVE-2014-4114 demonstrates how quickly cyber criminals are trying to exploit a vulnerability previously associated with espionage actors, using similar tactics, techniques, and procedures (TTP) to maximize their chances of success, with additional innovation as seen with these samples.
- We identified threat actors using weaponized PowerPoint documents that exploited CVE-2014-4114 to create an executable dropper that entrenched different malware in the victim system based on the actor’s choosing.
- In order for the exploit to trigger, the malicious document must be opened in Slide Show presentation format (e.g. PPSX or PPS or by selecting to view the document presentation mode from PowerPoint). We observed that the adversary is saving the document in PPS format in order to bypass all antivirus detection. See APPENDIX B for more details.
- Based on our observations, multiple seemingly unrelated cyber crime campaigns of varying sophistication levels are targeting the CVE-2014-4114 vulnerability. We believe that cyber criminals, particularly Nigerian 419 actors, are now seeking to exploit vulnerabilities first leveraged by espionage actors. If true, this would represent an evolution in 419 actor TTPs from previous operations.
To see the full report and findings, visit Fidelis Threat Advisory #1017
For a more detailed look at the technical indicators visit Fidelis Threat Advisory #1017 Appendix