Researchers have discovered that cyber attackers are exploiting a vulnerability that allows them to elude antivirus software to deliver malware via Microsoft PowerPoint.
The flaw itself exists in the Windows Object Linking and Embedding (OLE) interface and attackers have previously utilised it to deliver infected Rich Text File (.RTF) documents. Trend Micro's (opens in new tab) researchers noticed that attackers have now infected PowerPoint files (opens in new tab) to deliver malicious code.
The attacks begin with a spear-phising email with a message from a cable manufacturing provider. So far, those behind the recent attacks, have targeted organisations that operate in the electronics manufacturing industry with messages that appear to be sent from a business partner related to an order request.
The malicious PowerPoint file is attached to the email and tricks victims into thinking it contains shipping information. When opened, the file triggers an exploit for the CVE-2017-0199 vulnerability which then infects their system. The code is run using PowerPoint's show animations feature and this allows it to download a file logo document which then executes a file called 'RATMAN.EXE' via PowerShell.
This executable is merely a Trojanised version of the Remcos remote access tool that gives the attackers the ability to keylog, screenlog, tap into the systems microphone and webcam and even download and run other malware (opens in new tab). The user's machine is then under complete control of the attacker often without them even noticing that their device has been compromised.
Microsoft did release patches back in April to address the vulnerability and it is recommended that all users fully update their systems and stay on the lookout for emails similar in nature to the ones used in these attacks.
Image Credit: Andriano.cz / Shutterstock