The attackers were able to infect their victims using targeted spear-phishing emails with malicious PowerPoint file attachments weaponized with the CVE-2014-4114 vulnerability, nicknamed Sandworm. Once opened, these attachments download and run executables that allow for data exfiltration to a control server, as well as establish persistence in the infected machine. Patchwork is estimated to have infected 2,500 machines since its first recognized infection by researchers in December 2015.
It is important to mention that this attack is very simple on the technical side of things – it utilizes a vulnerability that was patched long ago and uses mostly open source code that is widely available online for everyone to grab. And yet, this campaign has managed to infect so many. “This group shows how low the bar has been moved for a successful APT attack to take flight,” said Gadi Evron CEO and founder of Cymmetria to threatpost.com. “We are impressed that these attacks were able to infiltrate high-end organizations given the apparent low technical aptitude of the attackers”.
The vulnerability used in this attack was patched by Microsoft back in 2014, which only highlights the need of preforming regular system updates.
ThreatSTOP customers are protected from Patchwork.