Researchers with Fidelis Cybersecurity have observed multiple, seemingly unrelated threat actors leveraging Microsoft Windows OLE remote code execution vulnerability CVE-2014-4114 to distribute malware, and several of the attacks involve the use of PowerPoint attachments to bypass antivirus detection.
Those attacks began with spearphishing emails that included a weaponized PowerPoint file attachment purporting to be a purchase order, a threat advisory indicated. Once downloaded and opened in slideshow format, CVE-2014-4114 is exploited and malware is executed.
While the attacks are similar to those carried out by a group believed to be affiliated with a nation-state and reported on in October 2014, Fidelis Cybersecurity does not believe the original actors are involved with these most recent incidents.
“The tradecraft involved in most of the recent CVE-2014-4114 activity is more similar to various cyber criminal actor sets than nation state-affiliated actors based on various levels of social engineering tradecraft and in some instances, the use of malware methods that bypass antivirus program detection,” the advisory said.
Specifically, Fidelis Cybersecurity noted how these most recent campaigns involve the use poorly constructed email messages with misspellings and lousy grammar, as opposed to the carefully crafted and highly targeted emails created by the alleged nation-state group.
Fidelis Cybersecurity believes that Nigerian 419 actors are involved in at least some of this recent activity.
“Many of the same [tactics, techniques and procedures] bore striking similarities to similar Nigerian activity in 2014,” the advisory said. “If true, this is a notable evolution in traditional Nigerian 419 fraud operations.”