It’s the first time this exploit has been used to target PowerPoint users – and it’s being used to distribute powerful Trojan malware, say researchers.
Cyber attackers are exploiting a vulnerability to evade antivirus detection and deliver malware via Microsoft PowerPoint.
The flaw in the Windows Object Linking and Embedding (OLE) interface is being exploited by attackers to distribute malicious Microsoft Office files.
The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cyber security researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slide show files for the first time.
As with many hacking campaigns, this attack begins with a spear-phishing email. The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.
The sender’s address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly contatining
However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text ‘CVE-2017-8570’, the reference of a different Microsoft Office vulnerability to the one used in this attack.
The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process and results in malicious code being run using the PowerPoint Show animations feature, which downloads a file logo document if successful.
This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called ‘RATMAN.EXE’, a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.
Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.
Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn’t an amateur campaign.
Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.
Fortunately, there’s a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.
Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.
“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails–even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files,” wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.
There are various techniques organisations can use to defend themselves against these attacks, with education of staff playing a key role.
From:http://www.zdnet.com/article/microsoft-powerpoint-exploit-used-to-bypass-antivirus-and-spread-malware/
About OsMonitor:
The mission of OsMonitor is to create a Windows computer system tailored for work purposes, effectively regulating employee computer behavior. It enables employers to understand what employees are doing each day, monitoring every action, including screen activity and internet usage. Additionally, it restricts employees from engaging in specific activities such as online shopping, gaming, and the use of USB drives.
OsMonitor, designed purely as software, is remarkably user-friendly and requires no additional hardware modifications. A single management machine can oversee all employee computers. As a leading brand in employee computer monitoring software with over a decade of successful operation, OsMonitor has rapidly captured the global market with its minimal file size and excellent cost-effectiveness compared to similar software. At this moment, thousands of business computers worldwide are running OsMonitor daily.
