Recently, a few customers have encountered phishing attack with malware on PowerPoint files, the attack exploits two main weaknesses. The source of the weaknesses is at on workstations that missing the following updates: CVE-2017-8570 and CVE-2017-0199.
The first is CVE-2017-0199 that was originally a Zero-Day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware.
The second is a remote code execution vulnerability exists in Microsoft Office software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user.
The Attack (in a short)
Like most of the hacking campaigns, it begins by sending a phishing email containing an attachment designed to look legitimate to end-users with attachment that called ppsx.
Once the end-user opens the PowerPoint slide, it shows the text of CVE-2017-8570, which is a reference to a different vulnerability for Microsoft Office. This infected file triggers an exploit for the CVE-2017-0199 vulnerability, and starts infecting the end-user computer. When the malicious code being run through animations feature on the PowerPoint Show. Once the flaw is successfully exploited, a file called logo.doc will be downloaded.
REMCOS can carry out numerous criminal operations on the compromised system, which includes downloading and executing command for other malware, keylogging, screen logging, and recording videos and audio for both webcam and microphone. The REMCOS RAT allows the attacker to control a system from anywhere in the world.
Then the malicious file uses an unknown .NET protector, which includes several protections and obfuscations that make it more difficult for security researchers to reverse engineer. However, since most methods of detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack trajectory allows attackers to avoid antivirus detection.
If we can recap the attack its go with the following process:
1. Phishing Email received on user mailbox with PPSC file that include malware
2. Troj_CVE20170199.jvu download file called logo.doc from C&C servers
3. Logo.doc download file called RATMAN.exe and excute the file
4. RATMAN allow remote code excution at the end-user
Indicators of Compromise
The following hashes were used for this article:
- a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35 (TROJ_CVE20170199.JVU)
- 7c01555ba4b3cbb68ec17c86ac2058664ad56f9f9803a9ffbf2706f0e0ad2f1c – (JS_DLOADER.AUSYVT )
- 9546c04cad4983b02adf6ed09a3c5674c0b1ae239883ae3d1b82b046ecee37a – (BKDR_RESCOMS.CA)
- In the Microsoft Office 2007 Service Pack 3
- in the Microsoft Office 2010 Service Pack 2 (32-bit Editions)
- in the Microsoft Office 2010 Service Pack 2 (64–bit Editions)
- in the Microsoft Office 2013 RT Service Pack 1
- in the Microsoft Office 2013 Service Pack 1 (32-bit Editions)
- in the Microsoft Office 2003 Service Pack 1 (64-bit editions)
- Microsoft Office 2016 (32-bit edition)
- Microsoft Office 2016 (64-bit edition)
How to fix
Microsoft already addressed this issue in April and July for both vulnerability
It is highly recommended to inform users not to open unknown email.
Note: if you’ve EDR system such Defender ATP it allow you to detect the attack and respond as need.