Threat Management, Threat Intelligence, Malware, Phishing

Malicious PowerPoint Slide Show files exploit Microsoft bug to deliver REMCOS RAT

In what researchers are calling a first, malware distributors are now maliciously crafting PowerPoint Open XML Slide Show (PPSX) files to take advantage of a Microsoft Office vulnerability that is more typically exploited with Rich Text File documents.

The bug in this case is CVE-2017-0199, a vulnerability in Microsoft Office's Windows Object linking and Embedding interface, according to Trend Micro, whose researchers uncovered the scheme. Microsoft patched this bug in April 2017.

The newly discovered attack technique is tied to a spear phishing campaign that has largely focused on companies in the electronics manufacturing industry. In this instance, the intent is to infect businesses with a trojanized version of the REMCOS remote access tool (RAT), which comes with myriad features for attackers, including the ability to download and execute commands, a keylogger, a screen logger, and webcam and microphone recorders.

In an Aug. 14 blog post, Trend Micro threat analysts Ronnie Giagone and Rubio Wu said that the adversaries likely swapped RTF files with PPSX files to change things up and "evade antivirus detection."

The threat first arrives in the form of a spear phishing email that appears to be sent from a cable manufacturing provider looking to place a large order. The email specifically asks if the recipient can supply a list of items, requesting a price quote and estimated delivery date.

However, upon opening up the attached file, all the recipient actually sees is a PPSX document that displays the vulnerability identifier "CVE-2017-8570." Strangely, this is not the vulnerability actually being exploited (as referenced before, the vulnerability being abused is CVE-2017-0199) –  a quirk that Trend Micro chalks up to an error on the part of the toolkit developer.

The malicious PPSX file leverages the exploit to download another file, which Trend Micro detects as JS_DLOADER.AUSYVT, from an abused VPN or hosting service. This XML file, written in JavaScript, is essentially a malicious downloader program that runs a PowerShell command in order to retrieve the main REMCOS payload, which is camouflaged using various obfuscations and protections.

The first sample of PPSX malware that Trend Micro came across was on July 28. At first, "there was very little traffic in the days following this initial detection. It's only in the last week that we've seen a increase in this malware in the wild,” said Mark Nunnikhoven, VP of cloud research for Trend Micro, in an email interview with SC Media.

"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails –  even if they come from seemingly legitimate sources," the blog post advises. "Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files."

Earlier this month, Trend Micro reported on a different spear phishing campaign, targeting Russian-speaking businesses, that infects victims with a backdoor program, using malformed RTF files that also exploit CVE-2017-0199.

Tod Beardsley, research director at Rapid7, said in emailed comments that while the attackers' use of Power Point Slide Show may be of interest to security researchers, the more significant takeaway is that these campaigns continue to work because many users fail to patch vulnerabilities and open suspicious attachments.

“Security researchers continue to be fascinated with novel attack vectors, exotic cryptography attacks, and zero-day vulnerabilities, but out in the real world, people are dealing with 120+ day vulnerabilities that depend on users failing to install patches and running malicious code emailed to them by strangers," said Beardsley. Spearphishing with malicious attachments continues to be a devastatingly effective technique for online criminals, and we in security need to be doing a better job when it comes to partnering with our friends in IT operations and software development to make this attack more expensive and less effective."

"The fact is, the headlines around CVE-2017-0199 could have been written any time in the last 15 years," Beardsley continued. "This alone tells me that we're clearly not making enough headway against phishing campaigns.”

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.