Thursday, December 11, 2014

CVE-2014-4114/CVE-2014-6352 Evade AV by removing read access in zip structure

We recently came across a CVE-2014-4114/CVE-2014-6352 sample (MD5 c69978405ecbb4c5691325ccda6bc1c0) which used the Zip directory structure of OpenXML ppsx files to assign no access permissions to the exploit. This may allow the malware to slip by some automated analysis systems while still allowing the exploit to function properly in MS Office Powerpoint which ignores the Zip format access permissions. This Powerpoint exploit is usually delivered by email and has been used by both espionage and criminal groups.

An early version of the exploit with normal file access permissions:



The new c69978405ecbb4c5691325ccda6bc1c0 with no user read permissions:


This modification to file permissions does appear to offer lower detection rates when comparing to another recent version of a similar exploit.

VT Detection rate of 23/56 for the version with read access:




And VT results of only 13/56 for the version with no read access to the exploit. Most of the major AV engines do not detect the exploit:



Our Cryptam document malware analysis engine has been updated to make any docx/ppsx/pptx/xlsx embedded files readable during processing as well.

No comments:

Post a Comment