Skip to main content

Criminals exploit PowerPoint vulnerability to spread malware

(Image credit: Photo Credit:

Researchers have discovered that cyber attackers are exploiting a vulnerability that allows them to elude antivirus software to deliver malware via Microsoft PowerPoint. 

The flaw itself exists in the Windows Object Linking and Embedding (OLE) interface and attackers have previously utilised it to deliver infected Rich Text File (.RTF) documents.  Trend Micro's (opens in new tab) researchers noticed that attackers have now infected PowerPoint files (opens in new tab) to deliver malicious code. 

The attacks begin with a spear-phising email with a message from a cable manufacturing provider.  So far, those behind the recent attacks, have targeted organisations that operate in the electronics manufacturing industry with messages that appear to be sent from a business partner related to an order request.    

The malicious PowerPoint file is attached to the email and tricks victims into thinking it contains shipping information.  When opened, the file triggers an exploit for the CVE-2017-0199 vulnerability which then infects their system.  The code is run using PowerPoint's show animations feature and this allows it to download a file logo document which then executes a file called 'RATMAN.EXE' via PowerShell. 

This executable is merely a Trojanised version of the Remcos remote access tool that gives the attackers the ability to keylog, screenlog, tap into the systems microphone and webcam and even download and run other malware (opens in new tab).  The user's machine is then under complete control of the attacker often without them even noticing that their device has been compromised. 

Microsoft did release patches back in April to address the vulnerability and it is recommended that all users fully update their systems and stay on the lookout for emails similar in nature to the ones used in these attacks. 

Image Credit: / Shutterstock

After getting his start at ITProPortal and then working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches to how to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.