Recently, security experts detected that cybercriminals were leveraging an exploit which allows avoiding detection, using Microsoft PowerPoint. The Windows Object Linking and Embedding (OLE) vulnerability (CVE-2017-0199) has been previously exploited for propagating malware via Microsoft Office. Typically, hackers infected their victims, distributing malicious Rich Text File (.RTF) files.
This time, the attackers were using the same exploit, compromising PowerPoint slide show files. Trend Micro researchers, who discovered the cyber-criminal activity, stated in their blog post:
“We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.”
As the specialists mentioned, attackers employ spear-phishing emails that contain infected attachments, primarily targeting the electronics manufacturing sector. “We believe the targeted attack involves the use of a sender address,” they added, “disguised as a legitimate email sent by a business partner.”
How does the attack happen?
First, the victim receives a message, supposedly containing shipping information, with an attached malicious PowerPoint (PPSX) document. If successfully exploited, the file uses an XML file for downloading “Logo.doc.”
Next, the malicious document employs the CVE-2017-0199 flaw, executing “RATMAN.exe,” which is a Remcos’ trojanized version, on the victim’s system.
As soon as Remcos Remote Control program gets onto the targeted computer, it enables attackers to perform a number of commands via command-and-control (C&C) server. Those include taking over user’s webcam or microphone, keylogging, installing other malware, etc.
In the worst-case scenario, cybercriminals may gain control over the whole system without the victim even noticing.
How does the malware avoid AV software?
Originally, cybercriminals leveraged the Windows Object Linking and Embedding flaw to infect victims through RTF documents. Thus, the majority of detection methods for the CVE-2017-0199 bug are focusing specifically on RTF. This way, when hackers use PPSX files for distributing malware, they manage to completely evade detection.
Back in April, Microsoft resolved the issue by providing patches for the vulnerability. In order to protect themselves against the threat, users are encouraged to update their systems as soon as possible.
Security researchers also emphasize that users always stay alert of phishing emails and never following suspicious links.
“Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails–even if they come from seemingly legitimate sources,” Trend Micro warned. “Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files.”