Hackers leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.
Now the same issue is being abused in a new way to infect computers with a remote access Trojan.
According to Trend Micro, the same flaw is abused to deliver malware via PowerPoint Slide Show.
“We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.” reads the analysis published by Trend Micro. “As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.”
The weaponized document is delivered as an attachment to a spear-phishing messages that pretend to be sent by a business partner.
The email message is supposedly an order request that doesn’t include other business documents, instead, it has attached a malicious PowerPoint Show (PPSX file) that supposedly exploits the CVE-2017-8570. Experts believe that attackers leveraged this Microsoft Office vulnerability, likely for an error made by the toolkit developer.
With this trick, attackers gain full access to the victim’s computer.
The tool leverages an unknown .NET protector to evade detection.
“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” reads the analysis published by Trend Micro.
Trend Micro pointed out the importance of keeping software up to date and paying extra caution when opening documents delivered via spam email or clicking embedded links.
“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks,” the security researchers also note.