Death By PowerPoint: Malware Attacks Use Malicious Slide Show Files To Evade Antivirus

A sophisticated attack uses targeted emails and a known Microsoft Office bug to get around antivirus and take over users’ systems

Researchers have uncovered a new form of attack using PowerPoint Slide Show files to exploit a well-known exploit.

The exploit, designated CVE-2017-0199, delivers malware via a flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office and was originally a zero-day flaw, meaning it was being used in attacks before a patch was available. It was used by the Dridex banking trojan amongst others.

Antivirus evasion

Attackers commonly use infected RTF files to target the flaw, and the new tactic may get around some antivirus programs, security firm Trend Micro said.

The attack is “the first time we have seen this approach used in the wild,” Trend said in an advisory.

The attacks use an email that appears to come from a legitimate source.
The attacks use an email that appears to come from a legitimate source.

The firm said it has uncovered targeted attacks on companies in the electronics manufacturing industry which are believed to arrive in emails that appear to have been sent by a legitimate business partner.

The email mentions an order request and contains a PPSX (PowerPoint Open XML Slide Show) file. When opened the file simply displays the text “CVE-2017-8570”, apparently a mistaken reference to a different Microsoft Office security bug.

The file exploits the CVE-2017-0199 bug, causing PowerPoint to download a remote file called logo.doc, which isn’t a Microsoft Word document, but rather an XML file that contains JavaScript to initiate the download of an executable called ratman.exe.

Ratman.exe, the attack’s final payload, is a customised version of a legitimate remote access tool called REMCOS, which allows users to run commands on their systems from across the internet.

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ... Loading ...

Remote control

The customised version includes a wide variety of capabilities, including downloading and running software on the target system, keylogging, screen captures and recording webcam and microphone feeds.

In addition to the multiple steps used in the attack – which makes it difficult for antivirus software to detect the attack – the attackers seem to have built sophisticated reverse-engineering protections into the remote access tool, indicating a high level of programming skill.

Trend said the attack is a warning that users should use caution when handling files or links delivered via the internet, even from seemingly legitimate sources.

“Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files,” the company said.

Users can protect themselves by installing Microsoft’s patch for the bug in question, which was released in April.

Do you know all about security in 2017? Try our quiz!