Microsoft PowerPoint exploit used to spread malware and evade antivirus

Cybercriminals leave no opportunities to exploit when presented with security loopholes. According to a report from Trend Micro, a security firm, cybercriminals are abusing a vulnerability in the Windows Object Linking Embedding (OLE) interface of Microsoft PowerPoint to install malware.

The interface is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking Trojan discovered earlier this year. However, this is the first time this exploit has been used to compromise PowerPoint slideshow files.

Like most of the hacking campaigns, it all begins by sending a phishing email containing an attachment designed to look legitimate to innocent users, supposedly from a cable manufacturing provider that asks the recipient to supply a list of items, request a price quote and estimated delivery date. However, on closer look, it has no business documents attached but an attachment that is named PO-483848.ppsx.

Once the victim opens the malicious PowerPoint slide, it shows the text ‘CVE-2017-8570’, which is a reference to a different vulnerability for Microsoft Office. This infected file triggers an exploit for the CVE-2017-0199 vulnerability, and starts infecting the host computer, with malicious code being run through animations feature on the PowerPoint Show. Once the flaw is successfully exploited, a file called ‘logo.doc’ will be downloaded.

The logo.doc file is actually an XML file with JavaScript code that runs a PowerShell command to download and execute a new program called ‘RATMAN.exe.’ a Trojanised version of the REMCOS remote access tool (RAT), which then connects to a command and control server.

REMCOS can carry out numerous criminal operations on the compromised system, which includes downloading and executing command for other malware, keylogging, screen logging, and recording videos and audio for both webcam and microphone. The REMCOS RAT allows the attacker to control a system from anywhere in the world.

To make things worse, the malicious file uses an unknown .NET protector, which includes several protections and obfuscations that make it more difficult for security researchers to reverse engineer. However, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack trajectory allows attackers to avoid antivirus detection.

To make things worse, the malicious file uses an unknown .NET protector, which makes it difficult for security researchers to analyse it. Ultimately, since the detection methods for CVE-2017-0199 focuses on RTF files, the use of PowerPoint files allows attackers to evade antivirus detections.

“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails – even if they come from seemingly legitimate sources,” the blog post advises. “Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files.”

However, Microsoft had already released a patch in April to address the vulnerability, notes Trend Micro. If the software on your system is updated, then you are likely to remain unaffected from the malware campaign.

Source: Neowin


  1. “If the software on your system is updated, then you are likely to remain unaffected from the malware campaign.”

    Unfortunately Kavita, that’s a big “if.” Even critical patches sometimes get blocked or stalled by GPO. I can’t even count the number of businesses who were badly out of date on their patches before we came in. Sometimes through no fault of their own!

    Great description of the exploit, though. This illustrates just how complex malware authors are willing to make their exploits. Shows you how determined they are to get your data.

    As well as staying up-to-date on your patches, make and verify good regular backups!


Please enter your comment!
Please enter your name here