Cyberattackers are exploiting a vulnerability that allows them to evade detection by antivirus software and deliver malware via Microsoft PowerPoint.
The flaw in the Windows Object Linking and Embedding (OLE) interface is being used by attackers to distribute malicious Microsoft Office files.
The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cybersecurity researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slideshow files for the first time.
The sender's address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly containing shipping information.
However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text 'CVE-2017-8570', a reference to a different Microsoft Office vulnerability than the one used in this attack.
The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process. As a result, malicious code is run using the PowerPoint Show animations feature, which downloads a file logo document.
Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.
Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn't an amateur campaign.
Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.
Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.
"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails--even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files," wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.