The ULTIMATE CRUELTY: Sandworm uses PowerPoint against Swiss bank customers

From espionage to cybercrime

The Sandworm vulnerability is being actively abused to attack Swiss banking customers, Danish security consultancy CSIS has warned.

CSIS reports that the attacks are pushing the latest version of the Dyre banking trojan.

Attacks arrive as spam emails under the guise of information about unpaid invoices. In reality the PowerPoint attachment to these messages is booby-trapped to exploit the Sandworm vulnerability and infect insecure Windows PCs.

Sandworm first reared its ugly head earlier this month as a zero-day vulnerability in Windows that hackers were abusing to hijack and snoop on PCs and servers used by NATO and the European Union. Weaponised PowerPoint documents exploiting the OLE package manager in Microsoft Windows were showered against targets in attacks blamed on Russia.

Microsoft patched this (CVE-2014-4114) vulnerability as part of its regular Patch Tuesday update on 14 October.

Recent patched vulnerabilities, in particular, often remain unpatched and cybercrooks have latched onto Sandworm in attacks aimed at the Swiss banking customers.

The practical upshot is that an exploit — first seen in the Sandworm APT attacks against Poland and Ukraine — has become the fodder for common-or-garden cybercrooks in less than three weeks. Technically, the attacks are virtually the same, and the only real difference is the pretext being used to trick prospective marks into opening tainted email attachments that get them infected.

CSIS Security has a write-up of the attack — including config files from the malware that numerate targets — in a blog post here. ®


Object Linking and Embedding (OLE) object technology is used to share data between applications so that a chart from an Excel Spreadsheet can be included within a PowerPoint presentation, for example.

Narrower topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022