Fortinet security experts warn that hackers are exploiting malicious PowerPoint files alongside recently patched Microsoft Office vulnerability to attack foreign ministries, international organizations, UN agencies, and entities interacting with international governments.
The attackers use a file called ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx and exploit the CVE-2017-0199 vulnerability which Microsoft addressed in April. During that time, cyber criminals had been abusing CVE-2017-0199 for delivering various type of malware like Dridex, Latentbot, Godzilla, and WingBird. Despite being patched recently, the exploit continues to be used in cyber attacks.
The first PowerPoint attacks which exploited CVE-2017-0199 for malware delivery were registered a month ago. They were associated with the distribution of a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT).
Fortinet researchers say that being opened, the PowerPoint Slide Show triggers a script and the exploit downloads remote code from an XML file with JavaScript code from the domain narrowbabwe[.]net. After that, it executes the code using the PowerPoint Show animations feature.
Besides, the exploit is capable of bypassing the User Account Control feature in Windows by hijacking the registry, and then executing eventvwr.exe. The bypass technique was first detailed about a year ago.
The JavaScript inside the XML file would write a file in a directory, pretending to be a legitimate Microsoft Office patch. Nevertheless, this is only a piece of malware executed with high privilege, which uses WMI ActiveScriptConsumers for persistence. The script runs every 12 seconds.
In addition, the script tries to identify if it runs in a virtual environment. In case it doesn’t find a virtual machine, the script continues sending some data to a remote server.
The experts say that despite the fact that the command and control (C&C) server had been already taken down at the time of their analysis, the response from the C&C contains arbitrary commands executed with eval() function. Once the commands get executed, the script sends a notification to the server.
“These commands can possibly be download functions to deliver the final payload, and the most commonly used malware for espionage are RATs (Remote Access Trojans),” Fortinet experts say.
