CVE-2017-0199: Crooks exploit PowerPoint Slide Show files to deliver malware

According to Trend Micro, cyber criminals abuse the CVE-2017-0199 vulnerability to deliver malware via PowerPoint Slide Show.

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.

Hackers leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.

Now the same issue is being abused in a new way to infect computers with a remote access Trojan.

According to Trend Micro, the same flaw is abused to deliver malware via PowerPoint Slide Show.

“We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.” reads the analysis published by Trend Micro. “As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.”

The weaponized document is delivered as an attachment to a spear-phishing messages that pretend to be sent by a business partner.

The email message is supposedly an order request that doesn’t include other business documents, instead, it has attached a malicious PowerPoint Show (PPSX file) that supposedly exploits the CVE-2017-8570. Experts believe that attackers leveraged this Microsoft Office vulnerability, likely for an error made by the toolkit developer.

Once the file has been executed, PowerPoint initializes the script moniker and launches the remote malicious payload via the PowerPoint Show animations feature by exploiting the Microsoft flaw perched in April. Then it downloads a file called logo.doc, which is instead an XML file with JavaScript code.

The JavaScript runs a PowerShell command to download and execute RATMAN.EXE from its command and control (C&C) server. The file is a Trojanized version of the legitimate  REMCOS remote access tool (RAT).

With this trick, attackers gain full access to the victim’s computer.

The tool leverages an unknown .NET protector to evade detection.

“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” reads the analysis published by Trend Micro.

Trend Micro pointed out the importance of keeping software up to date and paying extra caution when opening documents delivered via spam email or clicking embedded links.

“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks,” the security researchers also note.