It’s the first time this exploit has been used to target PowerPoint users – and it’s being used to distribute powerful Trojan malware, say researchers.
Cyber attackers are exploiting a vulnerability to evade antivirus detection and deliver malware via Microsoft PowerPoint.
The flaw in the Windows Object Linking and Embedding (OLE) interface is being exploited by attackers to distribute malicious Microsoft Office files.
The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cyber security researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slide show files for the first time.
As with many hacking campaigns, this attack begins with a spear-phishing email. The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.
The sender’s address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly contatining
However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text ‘CVE-2017-8570’, the reference of a different Microsoft Office vulnerability to the one used in this attack.
The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process and results in malicious code being run using the PowerPoint Show animations feature, which downloads a file logo document if successful.
Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.
Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn’t an amateur campaign.
Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.
Fortunately, there’s a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.
Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.
“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails–even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files,” wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.
There are various techniques organisations can use to defend themselves against these attacks, with education of staff playing a key role.