A new malware campaign that is leveraging CVE-2017-0199 vulnerability and making its way into businesses through a malicious PowerPoint email attachment.
Trend Micro security researchers have discovered the campaign, and this is the first time it has been seen to abuse PowerPoint Slide Show in the wild.
The vulnerability allows an attacker to take control of an affected system. An attacker could then install applications, view, change, or delete data; or maybe create new accounts with full user permissions.
According to Trend Micro:
“CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.”
The attack starts by receiving an email about shipping information that includes a malicious PowerPoint file in the attachments. When the malicious PowerPoint Show file is opened (executed), it will exploit the CVE-2017-0199 vulnerability, which downloads and executes RATMAN.exe (A remote control tool enables attackers to control infected systems.) on the targeted system.
“Users should also always patch their systems with the latest security updates. Given that Microsoft already addressed this vulnerability back in April, users with updated patches are safe from these attacks.”