OLE Malware Hides in a PowerPoint Slideshow Evade Antivirus Detection

The latest platform used by cyber criminals to sneak malware into devices seems to be Microsoft PowerPoint. According to reports, a vulnerability has been found in the Windows Object Linking and Embedding (OLE) interface, which can be used in such a way that it avoids the detection of antivirus software. This OLE interface flaw is used by malicious threat actors as a way to distribute infected Microsoft Office documents.

As Trend Micro’s cyber security experts say, this flaw helps attackers deliver RTF/Rich Text File documents, but can also be used to compromise PowerPoint slide show documents, which is a unique way of exploiting a flaw.

The attack starts off with a spear-phishing email. According to researchers that have provided a sample of the email, there is an attachment named as PO-483848.ppsx. The email itself is masked as an order request from a cable manufacturing provider, and the common victims of the campaign are electronic firms. The address of the sender appears as sent by a business partner, and the victim is asked to check the order and quote CIF (cost, insurance, and freight) along with FOB (free on board) prices.

The attachment has shipping information in it and is harboring a malicious slide show document. once you open the file, text appears, saying ‘CVE-2017-8570,’ which refers to another of Microsoft vulnerability. This infected file triggers an exploit for the CVE-2017-0199 vulnerability to start the infection process.

Interestingly enough, the malicious code is executed with the help of the animations feature on the PowerPoint Show. If successful, a file named logo.doc is downloaded, in which is JavaScript and XML code. Afterward, PowerShell is run to execute another file titled RATMAN.EXE, which is a malicious version of the Remcos remote access tool. Connection with the malware’s C&C server is then established.

Remcos can then do any of the following criminal operations on the compromised system: record audio, keylog, screen capture, record video via webcam, or download and execute another malware. The system can completely be taken over by the attacker, while the victim stays unaware of the situation.

After examining the sample attack, researchers were able to identify the use of NET protector in the attack – it has various layers of protection that can help in making the process of reverse engineering extremely complex for researchers. This proved that the attackers were quite skilled and with experience in cyber crime, and not newbies of any kind.

It is also important to say that most of the methods that detect CVE-2017-0199 vulnerability are RTF attack based, and this has probably been the first time that PPSX PowerPoint was used as the main attack vector. This may point in the direction that the attackers are able of coding malware to avoid detection from an antivirus.

Microsoft has already reacted to this and released a patch in April that should keep you safe from these types of attacks in case you updated your system. Still, it is important to remain alerted and never to open emails from unknown or unverified sources. Users need to open or check files cautiously even the source seems legitimate because spear phishing attempts are becoming more and more sophisticated.

38 COMMENTS

  1. What’s up, everything is going well here and ofcourse every one is sharing facts, that’s actually fine, keep up writing.|

  2. With havin so much content and articles do you ever run into any issues of plagorism or copyright infringement? My website has a lot of exclusive content I’ve either authored myself or outsourced but it seems a lot of it is popping it up all over the web without my permission. Do you know any techniques to help stop content from being stolen? I’d really appreciate it.|

  3. When some one searches for his vital thing, thus he/she wants to be available that in detail, therefore that thing is maintained over here.|

  4. I have to thank you for the efforts you’ve put in writing this website. I am hoping to view the same high-grade content from you later on as well. In fact, your creative writing abilities has inspired me to get my own, personal website now ;)|

  5. I have been exploring for a little bit for any high quality articles or weblog posts on this sort of space . Exploring in Yahoo I at last stumbled upon this website. Studying this info So i’m happy to express that I have a very excellent uncanny feeling I came upon exactly what I needed. I most for sure will make sure to don?t disregard this site and give it a look on a relentless basis.|

  6. Thanks for another informative web site. Where else may I get that type of information written in such a perfect way? I’ve a challenge that I’m just now running on, and I have been at the look out for such info.|

  7. I’m extremely impressed with your writing skills as well as with the layout on your blog. Is this a paid theme or did you customize it yourself? Anyway keep up the nice quality writing, it is rare to see a great blog like this one nowadays.|

  8. Una aparición ocasional de dificultades para obtener o mantener una erección, no se considera disfunción eréctil.

  9. I all the time used to study post in news papers but now as I am a user of net thus from now I am using net for articles, thanks to web.|

  10. These are in fact wonderful ideas in concerning blogging.

    You have touched some pleasant factors here. Any way
    keep up wrinting.

  11. I have been browsing online greater than three hours lately, but I by no means discovered any fascinating article like yours. It is pretty value sufficient for me. In my view, if all webmasters and bloggers made just right content material as you probably did, the internet can be much more helpful than ever before.|

  12. Heya i am for the first time here. I found this board and I find It truly useful & it helped me out much. I hope to give something back and help others like you aided me.|

  13. I don’t even know how I ended up right here, but I believed this put up used to be good. I don’t realize who you’re but definitely you’re going to a famous blogger in case you aren’t already. Cheers!|

  14. Hello, I read your blog daily. Your humoristic style is witty, keep
    up the good work!

  15. I’m curious to find out what blog system you have been working with? I’m having some minor security issues with my latest website and I’d like to find something more risk-free. Do you have any recommendations?|

  16. My spouse and I stumbled over here coming from a different website and thought I should check things out. I like what I see so now i’m following you. Look forward to exploring your web page yet again.|

  17. Definitely imagine that that you stated. Your favourite justification seemed to be on the net the simplest factor to
    consider of. I say to you, I certainly get irked at the same time as people consider issues that they just
    do not understand about. You managed to hit
    the nail upon the top and also defined out the entire thing with no need side effect
    , folks could take a signal. Will likely be back to get more.

    Thank you

  18. Remarkable things here. I’m very glad to see your article.
    Thanks a lot and I’m looking ahead to contact you.
    Will you please drop me a e-mail?

  19. Awesome blog! Is your theme custom made or did you download it from somewhere?
    A theme like yours with a few simple tweeks would really make my
    blog stand out. Please let me know where you got
    your design. Thanks a lot

  20. It’s hard to find well-informed people in this
    particular topic, but you seem like you
    know what you’re talking about! Thanks

  21. After I originally commented I appear to have clicked the -Notify me when new comments are added- checkbox and from now on each time a
    comment is added I get 4 emails with the same
    comment. There has to be an easy method you can remove me from that service?
    Kudos!

  22. I don’t even know how I ended up here, but I thought this post was good.

    I don’t know who you are but certainly you are going to a famous blogger if you
    are not already 😉 Cheers!

  23. I every time used to read article in news papers but now as I am a user
    of internet therefore from now I am using net for content, thanks to web.

  24. I have to thank you for the efforts you have put in writing this blog.

    I am hoping to check out the same high-grade content by you in the future as well.
    In truth, your creative writing abilities has motivated me
    to get my own blog now 😉

  25. What’s Going down i am new to this, I stumbled upon this I have found It absolutely
    useful and it has helped me out loads. I’m hoping to
    contribute & aid other customers like its aided me.
    Great job.

  26. Someone еssentially assist to make seгiously рosts I would state.This iss the veey first time I frequented
    your web page ɑnd thus faг? Isurprised with the research you made to
    create this actual publish extraordinary. Great activity!

  27. Yesterday, while I was at work, my sister stole my iPad and tested to see if it can survive a 25 foot drop, just so she can be a youtube sensation. My iPad is now destroyed and she has 83 views.
    I know this is completely off topic but I had to share it with someone!

  28. With havin so much content do you ever run into any problems
    of plagorism or copyright infringement? My site has a lot of unique content I’ve either
    created myself or outsourced but it appears a lot of it
    is popping it up all over the web without my permission. Do you know any techniques to help
    reduce content from being stolen? I’d certainly
    appreciate it.

  29. 188088 370616It is not that I want to duplicate your web site, but I truly like the style. Could you tell me which design are you using? Or was it custom made? 236964

  30. 295273 771217Thank you for your really very good info and feedback from you. car dealers san jose 787250

  31. 946298 100313Definitely indited content , Actually enjoyed seeking at . 305617

LEAVE A REPLY

Please enter your comment!
Please enter your name here