SandWorm

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Microsoft has patched this vulnerability in the October 14, 2014 patch release – CVE-2014-4114. Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia. Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day.

• NATO
• Ukranian government organizations
• Polish government and private sectors
• Western European government organizations
• European telecommunications firms
• Energy sector firms
• Unite States academic organizations

The malware steals sensitive documents, SSL keys and code-signing certificates, among other things. The Windows zero day affects all currently supported versions of Windows and researchers said that exploiting the bug is extremely simple. The exploit code can be loaded into any Office document and when it executes, the machine doesn’t crash, so the user is likely unaware of the attack. Some have called this malware, “trousersnake” as it requires the user to unzip an attachment. lol.

Spearphishing emails sent to victims are highly customized to appeal to the recipients’ interests, such as a white paper targeted at attendees of the GlobSec conference. Other documents are specifically targeted at users in countries such as Poland and Ukraine.

p.s. Sandworm is not an actual worm (write once read many)