OLE Malware Hides in a PowerPoint Slideshow Evade Antivirus Detection

The latest platform used by cyber criminals to sneak malware into devices seems to be Microsoft PowerPoint. According to reports, a vulnerability has been found in the Windows Object Linking and Embedding (OLE) interface, which can be used in such a way that it avoids the detection of antivirus software. This OLE interface flaw is used by malicious threat actors as a way to distribute infected Microsoft Office documents.

As Trend Micro’s cyber security experts say, this flaw helps attackers deliver RTF/Rich Text File documents, but can also be used to compromise PowerPoint slide show documents, which is a unique way of exploiting a flaw.

The attack starts off with a spear-phishing email. According to researchers that have provided a sample of the email, there is an attachment named as PO-483848.ppsx. The email itself is masked as an order request from a cable manufacturing provider, and the common victims of the campaign are electronic firms. The address of the sender appears as sent by a business partner, and the victim is asked to check the order and quote CIF (cost, insurance, and freight) along with FOB (free on board) prices.

The attachment has shipping information in it and is harboring a malicious slide show document. once you open the file, text appears, saying ‘CVE-2017-8570,’ which refers to another of Microsoft vulnerability. This infected file triggers an exploit for the CVE-2017-0199 vulnerability to start the infection process.

Interestingly enough, the malicious code is executed with the help of the animations feature on the PowerPoint Show. If successful, a file named logo.doc is downloaded, in which is JavaScript and XML code. Afterward, PowerShell is run to execute another file titled RATMAN.EXE, which is a malicious version of the Remcos remote access tool. Connection with the malware’s C&C server is then established.

Remcos can then do any of the following criminal operations on the compromised system: record audio, keylog, screen capture, record video via webcam, or download and execute another malware. The system can completely be taken over by the attacker, while the victim stays unaware of the situation.

After examining the sample attack, researchers were able to identify the use of NET protector in the attack – it has various layers of protection that can help in making the process of reverse engineering extremely complex for researchers. This proved that the attackers were quite skilled and with experience in cyber crime, and not newbies of any kind.

It is also important to say that most of the methods that detect CVE-2017-0199 vulnerability are RTF attack based, and this has probably been the first time that PPSX PowerPoint was used as the main attack vector. This may point in the direction that the attackers are able of coding malware to avoid detection from an antivirus.

Microsoft has already reacted to this and released a patch in April that should keep you safe from these types of attacks in case you updated your system. Still, it is important to remain alerted and never to open emails from unknown or unverified sources. Users need to open or check files cautiously even the source seems legitimate because spear phishing attempts are becoming more and more sophisticated.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.