Microsoft PowerPoint exploit used to spread malware and evade antivirus

Cybercriminals leave no opportunities to exploit when presented with security loopholes. According to a report from Trend Micro, a security firm, cybercriminals are abusing a vulnerability in the Windows Object Linking Embedding (OLE) interface of Microsoft PowerPoint to install malware.

The interface is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking Trojan discovered earlier this year. However, this is the first time this exploit has been used to compromise PowerPoint slideshow files.

Like most of the hacking campaigns, it all begins by sending a phishing email containing an attachment designed to look legitimate to innocent users, supposedly from a cable manufacturing provider that asks the recipient to supply a list of items, request a price quote and estimated delivery date. However, on closer look, it has no business documents attached but an attachment that is named PO-483848.ppsx.

Once the victim opens the malicious PowerPoint slide, it shows the text ‘CVE-2017-8570’, which is a reference to a different vulnerability for Microsoft Office. This infected file triggers an exploit for the CVE-2017-0199 vulnerability, and starts infecting the host computer, with malicious code being run through animations feature on the PowerPoint Show. Once the flaw is successfully exploited, a file called ‘logo.doc’ will be downloaded.

The logo.doc file is actually an XML file with JavaScript code that runs a PowerShell command to download and execute a new program called ‘RATMAN.exe.’ a Trojanised version of the REMCOS remote access tool (RAT), which then connects to a command and control server.



REMCOS can carry out numerous criminal operations on the compromised system, which includes downloading and executing command for other malware, keylogging, screen logging, and recording videos and audio for both webcam and microphone. The REMCOS RAT allows the attacker to control a system from anywhere in the world.

To make things worse, the malicious file uses an unknown .NET protector, which includes several protections and obfuscations that make it more difficult for security researchers to reverse engineer. However, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack trajectory allows attackers to avoid antivirus detection.

To make things worse, the malicious file uses an unknown .NET protector, which makes it difficult for security researchers to analyse it. Ultimately, since the detection methods for CVE-2017-0199 focuses on RTF files, the use of PowerPoint files allows attackers to evade antivirus detections.

“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails – even if they come from seemingly legitimate sources,” the blog post advises. “Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files.”

However, Microsoft had already released a patch in April to address the vulnerability, notes Trend Micro. If the software on your system is updated, then you are likely to remain unaffected from the malware campaign.

Source: Neowin