Recently, however, there’s been a shift from the use to Rich Text File attachments to Microsoft’s own PowerPoint format. According to the firm, a phishing email is sent to users, often spoofing an invoice, and has a .ppsx file linked. Downloading and opening the presentation reveals a slide with the text CVE-2017-8570, an older Office exploit that isn’t actually used in the attack. Instead, it exploits CVE-2017-0199, which is used to start the infection process via PowerPoint animations.
First, it runs a file called logo.doc, an XML file that downloads then downloads RATMAN.EXE. This trojanized version of the Remcos software lets attacks remotely execute code from anywhere in the world and uses an unknown .NET detector to make it harder to research. From there, it can contact the Command and Control Server and take screenshots, record keystrokes, take video footage, and access the microphone. If that’s not enough, attackers can quite easily take full control of the PC.
Fixed in April
Thankfully, Microsoft already addressed this issue in April via an update. Trend Micro suggests users “always patch their systems with the latest security update” to be safe. On top of that, some basic email security won’t go amiss. The use of PowerPoint makes it hard for anti-virus’ to detect, and this isn’t the first malware to utilize the software. As a result, users should ensure they only download files from known senders and be cautious even then. You can find more information about mitigation on the official blog post.