The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided inward the Windows Object Linking together with Embedding (OLE) interface for which a patch was issued inward Apr this year, only threat actors are yet abusing the flaw through the dissimilar mediums.
Security researchers convey spotted a novel malware drive that is leveraging the same exploit, only for the offset time, hidden behind a especially crafted PowerPoint (PPSX) Presentation file.
According to the researchers at Trend Micro, who spotted the malware campaign, the targeted assail starts amongst a convincing spear-phishing electronic mail attachment, purportedly from a cable manufacturing provider together with mainly targets companies involved inward the electronics manufacturing industry.
Researchers believe this assail involves the purpose of a sender address disguised every bit a legitimate electronic mail sent yesteryear a sales together with billing department.
Here's How the Attack Works:
The consummate assail scenario is listed below:
Step 2: Once executed, the PPSX file calls an XML file programmed inward it to download "logo.doc" file from a remote place together with runs it via the PowerPoint Show animations feature.
Step 3: The malformed Logo.doc file hence triggers the CVE-2017-0199 vulnerability, which downloads together with executes RATMAN.exe on the targeted system.
Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to command infected computers from its command-and-control server remotely.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the purpose of a novel PPSX files allows attackers to evade antivirus detection every bit well.
The easiest agency to forbid yourself completely from this assail is to download together with apply patches released yesteryear Microsoft inward Apr that volition address the CVE-2017-0199 vulnerability.
