Microsoft Office tools, particularly, the Word, Excel, and PowerPoint, have always enticed criminal hackers due to their popularity among the masses. A slight glitch or feature exploit can hence lead to massive cyber attack campaigns involving phishing and malware drops. Recently, a researcher discovered an attack method that exploits Microsoft Office PowerPoint for malware attacks.
Exploiting Microsoft PowerPoint For Malware Attacks
As disclosed by researcher Marco Ramilli, he has discovered a way to exploit MS Office PowerPoint for malware attacks. The attack method somewhat resembles phishing in a way that the malicious file directs the victim to a link having the payload. Nonetheless, a successful attack completes in a few steps. The researcher has shared details about his findings in his blog post. While you can read the technical details in his blog, here we summarize the exploit in simple words.
As explained, the malicious file involved in this attack method appears to have a blank page, but secretly connects to a malicious link. Ramilli analyzed the slide structure and noticed an external OLEobject. Upon further analysis, he found the target device already infected by the file downloaded on the system, that is, wraeop.sct. After this step, stage 3 of the attack begins that utilises an internal image to execute additional code leading to stage 4 – the payload execution.
The researcher suspects the malware to be AzoRult after performing traffic analysis and considering the C&C admin.
Microsoft Office Exploits Aren’t New
Although, the present discovery regarding the Microsoft PowerPoint exploit for dropping malware looks peculiar. It isn’t anything novel. The criminal hackers have already exploited PowerPoint in the past for such attacks. Last year, the hackers ran an entire malware campaign via malicious PowerPoint email attachments.
Ramilli’s findings shouldn’t be taken lightly as it may lead to mass scale cyber attacks. The researcher also emphasizes taking necessary measures to prevent this exploit.
“Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content.”
Besides, we also know the vulnerability in Microsoft Word video feature to which Microsoft has paid no heed, and the hackers have begun exploiting in the wild. Therefore, a solution to this problem should be worked out by Microsoft as soon as possible to avoid any damages.