The Microsoft Office remote code execution vulnerability (CVE-2017-0199) resided inward the Windows Object Linking as well as Embedding (OLE) interface for which a patch was issued inward Apr this year, only threat actors are yet abusing the flaw through the dissimilar mediums.
Security researchers bring spotted a novel malware drive that is leveraging the same exploit, only for the outset time, hidden behind a peculiarly crafted PowerPoint (PPSX) Presentation file.
According to the researchers at Trend Micro, who spotted the malware campaign, the targeted assail starts amongst a convincing spear-phishing e-mail attachment, purportedly from a cable manufacturing provider as well as mainly targets companies involved inward the electronics manufacturing industry.
Researchers believe this assail involves the purpose of a sender address disguised equally a legitimate e-mail sent past times a sales as well as billing department.
Here's How the Attack Works:
The consummate assail scenario is listed below:
Step 2: Once executed, the PPSX file calls an XML file programmed inward it to download "logo.doc" file from a remote place as well as runs it via the PowerPoint Show animations feature.
Step 3: The malformed Logo.doc file thence triggers the CVE-2017-0199 vulnerability, which downloads as well as executes RATMAN.exe on the targeted system.
Step 4: RATMAN.exe is a Trojanized version of the Remcos Remote Control tool, which when installed, allows attackers to command infected computers from its command-and-control server remotely.
Since the exploit is used to deliver infected Rich Text File (.RTF) documents, most detection methods for CVE-2017-0199 focuses on the RTF. So, the purpose of a novel PPSX files allows attackers to evade antivirus detection equally well.
The easiest agency to forestall yourself completely from this assail is to download as well as apply patches released past times Microsoft inward Apr that volition address the CVE-2017-0199 vulnerability.
Share This :
comment 0 Comments
more_vert