• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 20th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News
Microsoft

OLE flaw lets malware infected PowerPoint files evade antivirus detection

August 15th, 2017 Uzair Amir Security, Malware, Microsoft 0 comments
OLE flaw lets malware infected PowerPoint files evade antivirus detection
Share on FacebookShare on Twitter

Microsoft PowerPoint is the latest platform used by cyber criminals for delivering malware. Reportedly, there is a vulnerability in the Windows Object Linking, and Embedding (OLE) interface that can be exploited to avoid detection by antivirus software. Malicious threat actors are using the OLE interface flaw to distribute infected Microsoft Office documents.

According to Trend Micro’s cyber security experts, this flaw can help in delivering RTF/Rich Text File documents, but attackers can also use it to compromise PowerPoint slide show documents. This is a unique way to exploit a flaw.

Related: Malware that infects users without needing to click anything

The attack is launched as a spear-phishing email. Researchers have provided a sample email in which the attachment is named as PO-483848.ppsx. The email is disguised as an order request from a cable manufacturing provider. The common targets of this campaign are electronics firms. The sender’s address appears as a message sent by a business partner. The recipient is asked to check the order and quote CIF (cost, insurance, and freight) along with FOB (free on board) prices.

The malicious attachment supposedly contains shipping information, but it is harboring a malicious slide show document. When this file is opened, it shows the text ‘CVE-2017-8570,’ which refers to another of Microsoft vulnerability. This infected file triggers an exploit for the CVE-2017-0199 vulnerability to start the infection process.

Infection flow of the malware (Image credit: TrendMicro)

The malicious code is executed through the animations feature on the PowerPoint Show. If the process meets success, it downloads a file named logo.doc containing JavaScript and XML code. Afterward, PowerShell is run to execute another file titled RATMAN.EXE. This file is a malicious version of the Remcos remote access tool. Connection with the malware’s C&C server is then established.

[fullsquaread][/fullsquaread]

Remcos can carry out a variety of criminal operations on the compromised system such as screen capturing, keylogging, recording of audio and video via webcam and microphone and downloading/execution of other malware. The attacker manages to gain full control of the system. All this while, the victim remains unaware.

Researchers identified the use of NET protector in the attack after examining the sample attack. NET protector has various layers of protections that can help in making the process of reverse engineering extremely complex for researchers. This shows the attackers are quite skilled and experienced cybercriminals have launched the campaign not some newcomers.

[q]Don’t click unknown email files; especially this Microsoft PowerPoint One[/q]

It is also worth noting that a majority of the methods that detect CVE-2017-0199 vulnerability are RTF attack based. This is probably the first time attackers have used PPSX PowerPoint as the main attack vector, which hints at the fact that attackers can code malware to avoid detection from an antivirus.

To address the flaw, Microsoft already released a patch in April so if you have updated your system, you are likely to remain safe from the malware campaign. Still, it is important to remain alerted and never to open emails from unknown or unverified sources. Users need to open or check files cautiously even the source seems legitimate because spear phishing attempts are becoming more and more sophisticated.

Trend Micro researchers Ronnie Giagone and Rubio Wu state that organizations can defend themselves by educating their staff. Since businesses are the key targets of this new malware campaign, therefore, employees need to play a significant role in thwarting the attacks. Businesses also need to patch their systems properly and updated for known vulnerabilities.

  • Tags
  • Cyber Crime
  • Fraud
  • internet
  • Malware
  • Microsoft
  • Privacy
  • Scam
  • security
  • Technology
  • Vulnerability
  • Windows
Facebook Twitter LinkedIn Pinterest
Previous article Web Host Asked to handover IP Addresses of Anti-Trump Website Visitors
Next article WannaCry hero back on Twitter after pleading not guilting over Kronos
Uzair Amir

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'

Related Posts
X-rated social media app Fleek exposed explicit photos of users

X-rated social media app Fleek exposed explicit photos of users

Top Tips to Upscale Your Netflix Security Instantly

Top Tips to Upscale Your Netflix Security Instantly

'Child's Play' - Kids breach and bypass Linux Mint screensaver lock

'Child's Play' - Kids breach and bypass Linux Mint screensaver lock

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Hackers compromised IObit forum to spread DeroHE ransomware
Hacking News

Hackers compromised IObit forum to spread DeroHE ransomware

75
X-rated social media app Fleek exposed explicit photos of users
Leaks

X-rated social media app Fleek exposed explicit photos of users

98
Top learning management system (LMS) software for small businesses
Technology News

Top learning management system (LMS) software for small businesses

586

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us