New Method of Attack Abuses PowerPoint Slide Show

A new threat has been discovered within the CVE-2017-0199 vulnerability. CVE-2017-0199 was originally a zero-day Remote Code Execution vulnerability using a flaw within Microsoft Office to allow the execution of malware embedded within an infected Rich Text Format (RTF) file. The original flaw existed within the Windows Object Linking and Embedding (OLE) interface of Microsoft Office.

A new method of exploit has been discovered using a PowerPoint slideshow. The exploit arrives as an email attachment on an email claiming to be an internet service provider as part of a spear-phishing campaign. When opened it shows the text “CVE-2017-8570” which is a different Microsoft Office vulnerability. CVE-2017-0199 is then exploited using a moniker script downloading a second-stage binary from a remote command and control server. This binary file finally downloads a Remote Access Trojan (RAT) and executes it.

Previously, the detection rate for this threat was high but attackers are able to evade detection through use of the new PPSX attack vector.

Affected Platforms:

Microsoft Windows – all versions

Resolution:

• Ensure staff awareness of phishing attacks. Awareness campaigns should be provided and regularly refreshed to keep employees appraised of the latest phishing techniques.
• Regular patching of systems with the latest security updates. Microsoft has already addressed this vulnerability back in April; users with updated patches are safe from these attacks.