Cybercriminals are exploiting a vulnerability in Microsoft Office that allows them to evade detection by antivirus software and deliver malware using PowerPoint. Tracked as CVE-2017-0199, the vulnerability was first discovered as a zero-day remote code execution flaw back in April. It allowed attackers to exploit a flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware.
Commonly exploited using malicious Rich Text File (RTF) documents, security researchers have now discovered the Office vulnerability being exploited to compromise PowerPoint slide show files. Security experts at Trend Micro said that this is the first time they have seen this approach used in the wild. The flaw was originally discovered and reported by McAfee and FireEye employees and was seen using RTF files to deliver the malware.
Since the discovery earlier in the year, researchers have seen the vulnerability used in targets against Ukraine in a cyber espionage campaign and to deliver the Cerber ransomware. At the time, Microsoft had released a fix to this zero-day flaw.
A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
The update addresses the vulnerability by correcting the way that Microsoft Office and WordPad parses specially crafted files, and by enabling API functionality in Windows that Microsoft Office and WordPad will leverage to resolve the identified issue.
Why PowerPoint files now?
Researchers note that the choice of using PPSX files instead of the common RTF method enable attackers to avoid antivirus detection.
This new attack vector starts with a phishing email with the message supposedly sent from a cable manufacturing provider, targeting organisations in the electronics manufacturing industry. The sender's email is disguised to look like a message from a business associate with the email appearing like an order request and the attachment carrying shipping information.
However, once the recipient opens the attachment, all they find is the text "CVE-2017-8570," which is a different Microsoft Office vulnerability. Trend Micro has called it "a leftover mistake from the toolkit developer."
The attachment drops the remote access tool as its final payload, triggering the CVE-2017-0199 vulnerability and starting the infection process. The malicious code downloads a file named logo.doc from the internet, which contains XML and JavaScript code that runs PowerShell to execute a file called RATMAN.EXE. "The executable is actually a trojanized version of the REMCOS remote access tool (RAT) from the Command & Control (C&C) server," researchers added.
Remcos makes the target devices vulnerable to keylogging, screenlogging and even downloading and execution of additional malware, giving attacker full control over the infected device.
But staying safe is easier in this particular case since the patch has been out for over a few months. However, users do need to stay alert to email attachments even from "trusted" senders.
Takeaways? Install security updates as soon as they are released and try not to fall for the emails even if they are from legitimate sources.
