It is common belief that APT groups are masters of exploitation. If anyone, they should know everything about at, right? Our research into the real world uses of the CVE-2014-1761 vulnerability shows that it is far from being true.
It is a common practice in the anti-malware world that the security products are compared to each other in comparative tests. Even the tests themselves can be evaluated by the criteria of the Anti-Malware Testing Standards Organization. The only players, who are not rated, are the malware authors. This is for a good reason: their activities cover a wide range of operations, that don’t fully match and can’t be exactly measured.
The deep analysis of the samples using the CVE-2014-1761 vulnerability gave us a rare opportunity to compare the skill of a few different malware author groups. This is not a full and comprehensive test, but given the complexity of the exploit we could estimate the skills only in a very narrow slice of the full set: the understanding of the exploit. But the situation is the same as with any other test: if you know exactly what you are measuring, you can make valid conclusions.
The presentation will detail the exploitation process, explaining the role and implementation of the RTF elements used in the process, the ROP chain and the shellcodes.
We will investigate the different malware families that were using this vulnerability, and discuss the depth of modification into the exploit. This will give us a chance to rate the understanding and exploiting skill of the authors behind these malware families.
The comparative analysis gave an opportunity to draw a relationship chart between the different malware families, showing strong correlation with previously known intelligence, and adding a couple of new relations.
The final purpose of the comparative analysis is to understand the strengths and weaknesses of our enemies in the cyber warfare. The more we know about them, the greater our chances are for successful defense.