Categories: Security

Death By PowerPoint: Malware Attacks Use Malicious Slide Show Files To Evade Antivirus

Researchers have uncovered a new form of attack using PowerPoint Slide Show files to exploit a well-known exploit.

The exploit, designated CVE-2017-0199, delivers malware via a flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office and was originally a zero-day flaw, meaning it was being used in attacks before a patch was available. It was used by the Dridex banking trojan amongst others.

Antivirus evasion

Attackers commonly use infected RTF files to target the flaw, and the new tactic may get around some antivirus programs, security firm Trend Micro said.

The attack is “the first time we have seen this approach used in the wild,” Trend said in an advisory.

The attacks use an email that appears to come from a legitimate source.

The firm said it has uncovered targeted attacks on companies in the electronics manufacturing industry which are believed to arrive in emails that appear to have been sent by a legitimate business partner.

The email mentions an order request and contains a PPSX (PowerPoint Open XML Slide Show) file. When opened the file simply displays the text “CVE-2017-8570”, apparently a mistaken reference to a different Microsoft Office security bug.

The file exploits the CVE-2017-0199 bug, causing PowerPoint to download a remote file called logo.doc, which isn’t a Microsoft Word document, but rather an XML file that contains JavaScript to initiate the download of an executable called ratman.exe.

Ratman.exe, the attack’s final payload, is a customised version of a legitimate remote access tool called REMCOS, which allows users to run commands on their systems from across the internet.

What is your biggest cybersecurity concern?

  • Ransomware (28%)
  • Humans / Social Engineering (27%)
  • State sponsored hackers (14%)
  • Malware (14%)
  • Other (7%)
  • Out of date tools (6%)
  • DDoS (4%)

Loading ...

Remote control

The customised version includes a wide variety of capabilities, including downloading and running software on the target system, keylogging, screen captures and recording webcam and microphone feeds.

In addition to the multiple steps used in the attack – which makes it difficult for antivirus software to detect the attack – the attackers seem to have built sophisticated reverse-engineering protections into the remote access tool, indicating a high level of programming skill.

Trend said the attack is a warning that users should use caution when handling files or links delivered via the internet, even from seemingly legitimate sources.

“Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files,” the company said.

Users can protect themselves by installing Microsoft’s patch for the bug in question, which was released in April.

Do you know all about security in 2017? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Ordered To Pay $43m By Australian Court

Search engine Google fined $43 million by Australian court for tracking Android users location data…

2 days ago

Hacker Touts Data Sale Of 48.5m Users Of Covid App – Report

Personal data of 48.5 million Chinese citizens who used Shanghai's Covid App, is being offered…

2 days ago

Facebook Tests Default End-to-End Encryption For Messenger

Privacy move. Platform tests secure storage of people's chats on Messenger, in a move sure…

2 days ago

UK’s CMA Begins Probe Of Viasat Acquisition Of Inmarsat

British competition regulator the CMA, begins phase one investigation of $7.3 billion merger between Inmarsat…

3 days ago

Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Yanluowang ransomware hackers claim credit for compromise of Cisco's corporate network in May, while Cisco…

3 days ago

Google Seeks To Shame Apple Over RCS Refusal

Good luck convincing Tim. Google begins publicity campaign to pressure Aple into adopting the cross…

3 days ago