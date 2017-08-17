In what researchers are calling a first, malware distributors are now maliciously crafting PowerPoint Open XML Slide Show (PPSX) files to take advantage of a Microsoft Office vulnerability that is more typically exploited with Rich Text File documents.

The bug in this case is CVE-2017-0199, a vulnerability in Microsoft Office's Windows Object linking and Embedding interface, according to Trend Micro, whose researchers uncovered the scheme. Microsoft patched this bug in April 2017.

So far the attacks have largely focused on companies in the electronics manufacturing industry, with the intent of infecting them with a trojanised version of the REMCOS remote access tool (RAT). The REMCOS tool comes with myriad features for attackers, including the ability to download and execute commands, a keylogger, a screen logger, and webcam and microphone recorders.

In a 14 August blog post, Trend Micro threat analysts Ronnie Giagone and Rubio Wu said that the adversaries likely swapped RTF files with PPSX files to change things up and "evade antivirus detection."

The threat first arrives in the form of a spear-phishing email that appears to be sent from a cable manufacturing provider looking to place a large order. The email specifically asks if the recipient can supply a list of items, requesting a price quote and estimated delivery date.

However, upon opening up the attached file, all the recipient actually sees is a PPSX document that displays the vulnerability identifier "CVE-2017-8570." Strangely, this is not the vulnerability actually being exploited (as referenced before, the vulnerability being abused is CVE-2017-0199) – a quirk that Trend Micro chalks up to an error on the part of the toolkit developer.

The malicious PPSX file leverages the exploit to download another file, which Trend Micro detects as JS_DLOADER.AUSYVT, from an abused VPN or hosting service. This XML file, written in JavaScript, is essentially a malicious downloader program that runs a PowerShell command in order to retrieve the main REMCOS payload, which is camouflaged using various obfuscations and protections.

"Cases like this highlight the need for users to be cautious when opening files or clicking links in their emails – even if they come from seemingly legitimate sources," the blog post advises. "Spear phishing attempts can be rather sophisticated, and as seen with this example, can trick most users into downloading malicious files."

This article originally appeared at scmagazineuk.com