OLE flaw lets malware infected PowerPoint files evade antivirus detection

Microsoft PowerPoint is the latest platform used by cyber criminals for delivering malware. Reportedly, there is a vulnerability in the Windows Object Linking, and Embedding (OLE) interface that can be exploited to avoid detection by antivirus software. Malicious threat actors are using the OLE interface flaw to distribute infected Microsoft Office documents.

According to Trend Micro’s cyber security experts, this flaw can help in delivering RTF/Rich Text File documents, but attackers can also use it to compromise PowerPoint slide show documents. This is a unique way to exploit a flaw.

Related: Malware that infects users without needing to click anything

The attack is launched as a spear-phishing email. Researchers have provided a sample email in which the attachment is named as PO-483848.ppsx. The email is disguised as an order request from a cable manufacturing provider. The common targets of this campaign are electronics firms. The sender’s address appears as a message sent by a business partner. The recipient is asked to check the order and quote CIF (cost, insurance, and freight) along with FOB (free on board) prices.

The malicious attachment supposedly contains shipping information, but it is harboring a malicious slide show document. When this file is opened, it shows the text ‘CVE-2017-8570,’ which refers to another of Microsoft vulnerability. This infected file triggers an exploit for the CVE-2017-0199 vulnerability to start the infection process.

Infection flow of the malware (Image credit: TrendMicro)

The malicious code is executed through the animations feature on the PowerPoint Show. If the process meets success, it downloads a file named logo.doc containing JavaScript and XML code. Afterward, PowerShell is run to execute another file titled RATMAN.EXE. This file is a malicious version of the Remcos remote access tool. Connection with the malware’s C&C server is then established.

Remcos can carry out a variety of criminal operations on the compromised system such as screen capturing, keylogging, recording of audio and video via webcam and microphone and downloading/execution of other malware. The attacker manages to gain full control of the system. All this while, the victim remains unaware.

Researchers identified the use of NET protector in the attack after examining the sample attack. NET protector has various layers of protections that can help in making the process of reverse engineering extremely complex for researchers. This shows the attackers are quite skilled and experienced cybercriminals have launched the campaign not some newcomers.

Don’t click unknown email files; especially this Microsoft PowerPoint One

It is also worth noting that a majority of the methods that detect CVE-2017-0199 vulnerability are RTF attack based. This is probably the first time attackers have used PPSX PowerPoint as the main attack vector, which hints at the fact that attackers can code malware to avoid detection from an antivirus.

To address the flaw, Microsoft already released a patch in April so if you have updated your system, you are likely to remain safe from the malware campaign. Still, it is important to remain alerted and never to open emails from unknown or unverified sources. Users need to open or check files cautiously even the source seems legitimate because spear phishing attempts are becoming more and more sophisticated.

Trend Micro researchers Ronnie Giagone and Rubio Wu state that organizations can defend themselves by educating their staff. Since businesses are the key targets of this new malware campaign, therefore, employees need to play a significant role in thwarting the attacks. Businesses also need to patch their systems properly and updated for known vulnerabilities.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'