Saturday, May 3, 2025
Home Blog Page 933

400 Million Windows Computer Vulnerable to “Bashware” Security Software Bypass Attack

400 Million Windows Computer Vulnerable to “Bashware” Security Software Bypass Attack

A New Attacking Technique called “Bashware” can able to Bypass all Windows Based Security Software solutions by abusing the New Windows 10 Future called Windows Subsystem for Linux (WSL) and Injecting the Backdoor.

WSL is Compatibility Layer for running Linux binary executable on Windows 10 based Computers that helps to Enable the bash terminal available for Windows OS users.

This Flow can able to allow any Malware’s to bypass the Advanced security solutions, Next Generation Anti Virus software, inspection tools, Anti-Ransomware solutions.

This means that Bashware may potentially affect any of the 400 million computers currently running Windows 10 PC globally.

Also Read :  Vault 7 Leaks: CIA Hacking Tool “Angelfire” Secret Document Revealed to Compromise WindowsOS – WikiLeaks

How Does it Bypass the security Futures

Presently Available security software Futures is not that much Effectively Monitoring the processes of Linux Executable’s running on Windows OS.

This will leads to open a backdoor to the hackers and run their Malicious code by abusing the  WSL futures which allow hiding from the current intelligence that is given by the security vendors.

Bashware Technique Mainly abusing the “Netcat” utility Futures that is used for reading and writing to network connections using TCP or UDP.

Netcat has some list of Futures including port scanning, transferring files, and port listening, and also it can be used as a backdoor.

In some case, Security Software like Anti-Virus is not allowed the Netcat Futures to get Executed.

By Default, 1337 port is closed because it leads to create a Backdoor and allow the Trojan services to run on the Windows Computers.

Once Bashware Execute the Malware, then it will Bypass all the security solutions and it will later Enable the WSL Future.

https://www.youtube.com/watch?v=4ki6dbEePaw&feature=youtu.be

End of the Execution will Successfully open the Netcat Listener port(1337) that will helps to Attackers to Open a Backdoor.

Windows Inspection Tools such as Task Manager will not Identify the Malicious Payload Process. Instead of that, it can only show the WSL Loader process.

Advanced Process Monitoring Tool also not Detecting the Malicious Payload Process which is Running behind of the WSL Process.

According to Checkpoint Software, a hybrid concept which allows a combination of Linux and Windows systems to run at the same time but allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms

Security industry to take immediate action and to modify their security solutions to protect against this new method to Mitigate this Actives. Checkpoint Said.

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire” Delivering via A360 Cloud Drive

Beware !! Dangerous RAT’s Called “Adwind, Remcos, Netwire”  Delivering via  A360 Cloud Drive

Widely Used A360 Cloud Drive Platform Abuse for Delivering Adwind, Remcos, Netwire  Remote Access Trojans and used as a Malware Distributing Platform by using File sharing site to host Malware.

Nowadays  Many Cloud Platform used as a Malware Delivering Platform that by hosting Malicious Files and also being served as a (C&C) infrastructure.

In this case, Command & Control Server Resolved by Free DNS services and it helps to RATs/backdoors that would phone back to their respective command-and-control servers after the Malicious RAT File were Downloaded and Executed.

“A360 is a cloud-based workspace that centralizes, connects and organizes your team and project information across your desktop, the web, and mobile devices.”A360 Drive provides online storage for collaboration. Anyone can create an account for free and given 5GB of space.

According to Trend Micro Report, U.S., South Africa, France, Italy, Germany, Hong Kong, and U.K. the most affected By this Distributed Adwind, Remcos, Netwire RAT’s.

Also Read:  Free Remote Access Trojan builder “Cobian RAT” Distributed a Backdoor

How Does These RAT’s Abusing the Cloud Infrastructure

These 3 RAT’s Initially Spreading via the Spam Email Campaign with Different Malware Variant Functions.

Adwind RAT  Intially Discovered from as a JAR file (JAVA_ADWIND.JEJPDY) which connect to the C&C Server when the Script get executed. later it will retrieve and exfiltrate multifarious data including credentials, keystrokes, and multimedia files.

RAT

NETWIRE RAT Identified through Spam Email Campign with attached  (JAVA_KRYPTIK.NPP) file containing a Java ARchive (JAR) along with Exicutable Script and futher analysis confrms that, it has string references NETWIRE remote access tool with keylogging and SOCKS proxy capabilities.

Trend Micro Discovered a Document File that Discovered as “AMMO REQUEST MOD Turkey.doc” (W2KM_DROPPR.XWD) that contains a generic template for macro malware used to abuse the A360 Drive .

Macro File is Encrypted and also Obfusticated Exicutable that will be finally Decrypted.it contains a payloadthat is a malicious PowerShell script that will download a file from A360 Drive and execute it.

The downloaded payload is a Visual Basic obfuscated executable file. Deobfuscating it reveals the Trojanized Remcos remote access tool (RAT), which is advertised, sold, and offered cracked on various websites and forums. Trend Micro said.

Free Remote Access Trojan builder “Cobian RAT” Distributed a Backdoor

Free Remote Access Trojan  builder “Cobian RAT”  Distributed a Backdoor
A Free Remote Access Trojan Builder called “Cobian RAT” Distributed with embedded Backdoor and it it was being offered for free and had a lot of similarities to the njRAT/H-Worm family.

This RAT was Distributing and advertising via some Secret and Darkweb Forums where cyber criminal selling and Buying advance Hacking tools.

This RAT has many similar activities same as njRAT/H-Worm family which is offering for free of cost.

This Backdoored RAT contains Many Advance Futures such as Keylogger, screen capture, webcam, voice Recorder, File Browser, Remote Command Shell and install/uninstall Future.

Also Read:   AndroidRat-TheFatRat to Hack and Gain access to Targeted Android Phone

How Does Cobian RAT Works

Initially, Cabian RAT Distributing through online Forums that contains hidden Backdoor that is controlling by the Original Author.

Next Level, RAT Payloads are generated by Builder Kits that is Distributing via Traditional Methods such as Email and Compromised Websites.

RAT

 Cobian RAT command-and-control server application

Here Pastebin URL used by the Malware author that helps to Pull the information from the Author.

Later, User systems Compromised by the Malicious payload and information will send to the Malware author’s Command & Control Server.

This allows the original author to control the systems infected by the malware payloads that were generated using this backdoored builder kit.

In this case, Malware Author can able to take the full control of the systems that was compromised by the  Cobian RAT botnets.

According to Zscaler Analysis, Cobian RAT spreding Via Microsoft Excel spreadsheet using an embedded icon and executable payload was served inside a ZIP archive.

“The executable file is packed using a .NET packer with the encrypted Cobian RAT payload embedded in the resource section. There is a series of anti-debugging checks performed by this dropper payload before decrypting the RAT and installing it on the victim’s system.”

This same RAT used to Compromise the Zscalar Cloud Sandbox from a Pakistan-based defense and telecommunication solution website.

During Zscaler analysis, we observed that when the machine name and username of the systems running the Cobian RAT payload (bot client) and the control server (bot C&C server) are the same, the backdoor module will not be activated and no communication will be sent to the backdoor C&C server.

Second Level Operator using both bot client and server applications in the same system that will lead to hiding the Payload and there will be no traffic generated from the bot client to the backdoor C&C server in this case.Zscaler Said.

Beware!! All Android Versions Up to 7.0 are Vulnerable to Toast Overlay Attack

Beware!! All Android Versions Up to 7.0 are Vulnerable to Toast Overlay Attack

Cloak & Dagger is a new class of potential attacks affecting Android devices. These attacks allow a malicious app to completely control the UI feedback loop and take over the device — without giving the user a chance to notice the malicious activity.

Security experts from Palo Alto Networks discovered a vulnerability with Android overlay system which allows an attack by Toast type Overlay. Every android devices less than 8.0 are vulnerable to this attack.

Overlay attacks allow an attacker to draw on top of other windows and apps running on the affected device. With this recently found overlay assault does not require a particular permissions or conditions to be compelling. Malware propelling this assault does not have to have the overlay consent or to be introduced from Google Play.

Also Read Millions of Android Phones including latest Versions Vulnerable

With these permissions are in all actuality, various effective assaults can be propelled on the device, including taking credentials, introducing applications silently, and locking the device for the payment.

Cloak and Dagger work by adjusting locales of the screen to change what the victim sees, deceiving them into empowering further permissions or recognizing their input data sources.CVE-2017-0752 was assigned for this vulnerability and it was fixed with security patch released on 2017-09-01, with the fix for a subset of vulnerabilities that are similar across all Android devices.

Vulnerability on Android OS

Experts say Toast overlay is normally used to show a rapid message over all different applications. For instance, a message showing that an email has been spared as the draft when a client explores away without sending an email.

It normally acquires all configuration options with respect to different windows sorts. Be that as it may, our examination has discovered utilizing the Toast window as an overlay window permits an application to compose over the interface of another App without asking for the SYSTEM_ALERT_WINDOW benefit this ordinarily requires.

Vulnerability occurs due to lack of permission checks in code validation with Android AOSP (version <= 7.0) and with Android OS version 7.1 it has multiple layers of mitigation, First layer forcibly due to lack maximum timeout and second mitigation, Android 7.1 allows only one Toast window per app to be shown at a time.

Through the overlay attack, an installed malicious app can fool the user into giving the app Device Administrator permissions. With this, it will have the capability to launch deadly attacks, including:

  1. Locking the device screen
  2. Resetting the device PIN
  3. Wiping the device’s data
  4. Preventing the user from uninstalling the App

Google patched and disclosed this vulnerability on September 5th of 2017.

Everything you Need to Know About The Evolution of Locky Ransomware

Everything you Need to Know About The Evolution of Locky Ransomware

The onset of Locky Ransomware campaign was thought to be evolutionary, but around the clock the campaign has grown to be revolutionary.

We had been monitoring and sharing Locky campaign updates since last month till date. It was observed that almost 23 million messages were sent in last 24-hour period, making it one of the largest malware campaigns seen in the latter half of 2017.

Locky Ransomware

Ransom Notes From Locky Ransomware

The other day 711 million addresses were found to be leaked onto the internet by Online Spambot. The profound dump had found coherencies with recent Locky malspam activities.

The analysis of the thousands of emails sent in the campaign revealed this attack data: 11,625 different IP addresses in 133 different countries are being used to perform this campaign and also Spreading via spoofing Dropbox.

The countries housing the most attack servers are Vietnam, India, Mexico, Turkey, and Indonesia.

The evolution focused on changing tactics mid-game and experimenting with new extensions or new baits to get unsuspecting users to click.

Key Attributes of Locky Ransomware

The late August campaign uses the IKARUS dilapidated version of Locky, which had the .lukitus extension. It spreads using a botnet of zombie computers responsible for coordinating a phishing attack.

While some of the campaigns were also seen spreading with a ZIP attachment that contains a Visual Basic Script (VBS) file that is nested inside a secondary ZIP file.
Once clicked, VBS file initiates a downloader that reaches out to the malicious domain to pull down the latest Locky ransomware.

Additional capricious characteristics included the malicious documents exhibiting harmless behavior in many sandboxes while still infecting end users.

In the latest spam run, the ransomware infection has been resorted to spoofing Dropbox. And accessing the malicious dropbox websites drops Locky payload.

Locky Ransomware

C&C Server Communication for Download Locky Ransomware

Recently we had seen in HoeflerText camapaign, website generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because the browser is missing the correct “HoeflerText” font.

The message then prompts the user to fix the error. When clicked, receives a JavaScript file which is designed to download and install Locky ransomware

Detection Tips

  • Locky ransomware uses registry keys (shared in IOCs – Locky Ransomware) for persistence. Therefore, it is important to monitor registry keys for infection detection.
  • A domain check rule for Dropbox access can be created incorporating to enhance visibility.

Prevention Tips

  • Most of the trusted antimalware solutions have found quipped with signatures to detect and stop execution of Locky ransomware.
  • As maldoc is found to be the source in some of the Locky infection, it is advisable to disable the usage of macros in Microsoft Office applications (MS-Word).
  • A rule can be created for email gateway devices which can generate alerts upon receipt of attachment with MS-Office extensions (xls|xlsx, doc|docx, ppt|pps etc.) from unknown sources and/or found with binary contents.
  • Block the IP, URLs, file hashes that have identified in connection with the campaigns and spreading malware. Please refer the attachment IOCs – Locky Ransomware.xlsx for details.

Vault 7 Leaks: CIA Tool “Protego” Used to Control Missile System and to Launching Missiles- WikiLeaks

Vault 7 Leaks: CIA Tool  “Protego” Used to Control Missile System and to Launching Missiles- WikiLeaks

WikiLeaks Revealed a New CIA Document called “Protego” is PIC micro controller based Missile Control System Project and along with this, it contains  37 related proprietary hardware/software manuals.

Raytheon has Developed the missile control system that severing under the Protego Project.

Few Day before WikiLeaks Revealed CIA Hacking Tool called “Angelfire” which comprised of 5 integrated components that are used to Compromise the Windows Computers Especially Windows 7 and Windows XP

This Tool Different From other CIA Leaked Tool that all are Leaked under Malware and other cyber Attack Related one.

Based on the Indication of the Document, this tool is installed onboard a Pratt & Whitney aircraft (PWA) equipped with missile launch systems.

Missile System has 3 Micro Controllers (‘Missle Smart Switch’, MSS), the tube (‘Tube Smart Switch’, TSS) and the collar (which holds the missile before and at launch time) which is Placed in the Missile itself.

Separate micro-controller units are Equipped with Protego which helps to Exchange the data signals over encrypted and authenticated channels.

Protego system Image Requirement

Protego consists of 7 Different Images that are the complete Requirement used to Develop the Protego Project. Following Images are using for Different Purpuses.

  1. P1.X.production.hex
  2. P2.X.production.hex
  3. P3.X.production.hex
  4. P4.X.production.hex
  5. P5.X.production.hex
  6. P1_S.X.production.hex
  7. P2_ Maintenance.production.hex

According to Leaked CIA Document First, 3 Images using for build images are unique for each Collar, Tube, and Missile set and the keys must match.

Next 4th and  5th  Images used for used on the deployment Box for configuration control of any Protego system.

Last 2 Images used for build images are used when reprogramming the MP processor.

 
Master Processor is used to receiving 3 Signals from a beacon that are   ‘In Border’ (PWA is within the defined area of an operation), ‘Valid GPS’ (GPS signal available) and ‘No End of Operational Period’ (current time is within the defined timeframe for an operation)
Missiles can only be launched if all signals received by MP are set to ‘true’. Similarly, safeguards are in place to auto-destruct encryption and authentication keys for various scenarios (like ‘leaving a target area of operation’ or ‘missing missile’).  CIA Document Says.
 

Previous CIA Leaked Tools – wikileaks

Vault 7 Leaks: CIA Hacking Tool “Angelfire” Secret Document Revealed to Compromise Windows OS – WikiLeaks

Vault 7 Leaks: CIA Conducts Secret Cyber Operation “ExpressLane” Against Their Intelligence Partners -WikiLeaks

Vault 7 Leaks: CIA Hacking Tool “CouchPotato” Remotely Capture Videos & Images -WikiLeaks

Vault 7 Leaks: CIA Cyber Weapon “Dumbo” Hack WebCams & Corrupt Video Recordings –

 Vault 7 Leaks: CIA Hacking Tools “Achilles, Aeris, SeaPea” Revealed to Hack Mac and Linux OS -WikiLeaks

Raytheon – Vault 7 Leaks: CIA Owned PoC Malware Development Surveillance Projects “UCL Under Raytheon” Leaked

 

HighRise – Vault 7 Leaks: CIA Android Ha Vault 7 Leaks: CIA Hacking Tools “Achilles, Aeris, SeaPea” Revealed to Hack Mac and Linux OS -WikiLeaks

Hacking Tool “HighRise” Steals Data From Compromised Android Phones via SMS – WikiLeaks

Gyrfalcon –  Vault 7 Leaks: CIA Cyber Weapon “BothanSpy” and “Gyrfalcon” Steals SSH Credentials From Windows and Linux Computers – WikiLeaks

OutlawCountry – Vault 7 Leaks: CIA Malware “OutlawCountry” Controls Linux Machine and Redirect the Victims Traffic into CIA Controlled Machine – WikiLeaks

ELSA – Vault 7 Leaks: CIA Malware “ELSA” Tracking Geo-Location of WiFi Enabled Windows Computers – WikiLeaks

Brutal Kangaroo – CIA Hacking Tool “Brutal Kangaroo” Revealed to Hack Air-Gapped Networks by using USB Thumb Drives -WikiLeaks CherryBlossom –  Wikileaks

Revealed New CIA Wireless Hacking Tool “Cherry Blossom” Compromise Your Wireless Network Devices using MITM Attack

Pandemic –  New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download

Deep Web Browser Tor Now With More Security and Compatibility

Deep Web Browser Tor Now With More Security and Compatibility

Tor browser ensures your communication around an distributed system of transfers keep running by volunteers all around the globe.

It prevents some person viewing your Internet connection from realizing what websites you visit, it prevents the websites you visit from learning your physical location, and it gives you a chance to get to websites which are blocked.

There is a bunch of reasons why people may look to share records anonymously, with the principal that rings a bell being the situation of informants or political activists attempting to keep up a strategic distance from abuse.(TOR)

Tor Browser

At the point when a client begins utilizing Tor, it goes through the primary hub in the circuit from a pool of 2500 out of 7000 PCs, which named as “Entry Guard” which has high uptime and accessibility.

Also Read TOR and VPN Anonymous enough for Dark Web

Tor Browser 7.0.5

Deep web site are not accessible by common browsers like Internet Explorer or Google Chrome. To get dark web access you will need to download the dark web browser called TOR browser bundle. Only get it from the official TOR website, never download it from anywhere else!

With Tor Browser 7.0.5 it ensure HTTPS-Everywhere is compatible for Tor Browser. HTTPS Everywhere is an addon made by EFF and the Tor Project which consequently switches thousands of websites from shaky “http” to secure “https”.

You can download the recent version of TOR browser here

  • Update HTTPS-Everywhere to 2017.8.31
  • Update NoScript to 5.0.9
  • Bug 23166: Add new obfs4 bridge to the built-in ones
  • Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
  • Bug 21270: NoScript settings break WebExtensions add-ons

Also Read Share Files Anonymously using TOR and OnionShare

New Apache Struts Vulnerability Allows Attackers to Take Control Over Web Servers

New Apache Struts Vulnerability Allows Attackers to Take Control Over Web Servers

Apache Struts is a free and open-source framework used to build Java web applications.This is not the first remote code execution vulnerability discovered on Apache Struts.

Security Expert from Man Yue Mo from lgtm found a remote code execution vulnerability in Apache Struts. This vulnerability has been assigned with Security Bulletin CVE-2017-9805

Experts found the vulnerability due to unsafe deserialization in Java.In the Last March also an RCE vulnerability reported by Nike Zheng with Struts 2.3.31 & 2.3.5.

Also Read :  ApacheStruts2 Remote Code Execution Vulnerability S2-046

What is Java Deserialization

Java deserialization weakness influences essentially all applications that acknowledge serialized Java objects and gives attackers an approach to increase a complete remote control of an application server.

The vulnerability enables aggressors to obtain total control over the server on which the application is facilitated and make a wide range of destruction.

The vulnerability enables aggressors to obtain total control over the server on which the application is facilitated and make a wide range of destruction.

As indicated by the researcher, the exploit is caused by the way Struts deserializes unsanitized client provided information.

An aggressor could transfer a malicious file and obtain control over an application subsequent to increasing remote code execution rights on the objective’s Struts-based application server.

An aggressor could transfer a malicious file and obtain control over an application subsequent to increasing remote code execution rights on the objective’s Struts-based application server.

Due to the severity of the vulnerability Man Yue he didn’t disclose more details about this vulnerability.He reported the Vulnerability to the vendor on 17 July 2017 and it has been fixed with Struts version 2.5.13 released yesterday.

This new version contains a fix for many security vulnerabilities.

  • CVE-2017-9793 – DoS attack is possible when using outdated XStream library with the Struts REST plugin
  • CVE-2017-9804 – Possible DoS attack when using URLValidator

Now the version has been published, Server administrators are strongly advised to update their Apache Struts as soon as possible.

Beware!! Dangerous Locky Ransomware Spreading Via Dropbox Link and Compromise Your PC

Beware!! Dangerous Locky Ransomware Spreading Via Dropbox Link and Compromise Your PC

Nowadays Trending Dangerous Ransomware “Locky” Discovered that used to spreading via Malicious Email Spam campaign with attached malicious JavaScript (.js) that links to fake Dropbox pages.

The Locky Ransomware re-emerging continuously day by day with new email distribution campaign and its has reported by many Security Research Firm and identified as one of the Fastly Spreading Malware Campaign.

Earlier August 2017, Cyber Security Firm Comodo Threat Research Labs Initially Discover the Variant of Locky Ransomware that was spreading via Phishing Email Campaign.

Few days Before  Massive Locky Ransomware Campaign Over 23 Million Messages sent in 24 hours.which makes it one of the biggest malware campaigns in the latter half of 2017.

Currently, Locky Ransomware spreading very fast and causing big Damage in WorldWide.

This Locky Ransomware variant Targeting Google Chrome and Firefox browser users by forcing to update the  HoeflerText  Plugin.

Also Read:  Massive Locky Ransomware Campaign Over 23 Million Messages sent in 24 hours

How Does Locky Ransomware spreading via Fake Dropbox Link

Initially, Users receive a Spam Email Campaign along with a Dropbox link that says to verify the Email Address, that has arrived from Spoofed Email address and emails were botnet-based, and they came from various IP addresses around the world.

Locky Ransomware

When User Click Email Address it Leads to an another Fake Dropbox Site that hosted WITH fake Dropbox pages and it contains the information with a link and “Please click here to download a new verification message.”

Locky Ransomware

According to Brad Duncan who has Discovered this Email Campaign, this Link Doesn’t work when he tried to access via Internet Explorer 11 or Microsoft Edge.

Later it has tested in Chrome and Discovered that they displayed a fake notification “HoeflerText” font was not found and it contains an update button in chrome.

Locky Ransomware

If user Click the Update button, a JavaScript file named Win.JSFontlib09.js will be received.

JavaScript file Designed to Download and install Locky Ransomware into victims computer.

“Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use.”

“If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection,” Duncan said.

PowerPoint file Equipped with CVE-2017-0199 could Compromise Your System

PowerPoint file Equipped with CVE-2017-0199 could Compromise Your System

Security experts from FortiGuard Labs discovered a malicious Powerpoint file in name ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx using the CVE-2017-0199 Vulnerability.By opening, this malicious PDF file may compromise your system.

CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to use a flaw that exists within the Windows Object Linking and Embedding (OLE) interface of Microsoft workplace to deliver malware.

This vulnerability has been disclosed and patched in last April 2017. This vulnerability triggers an RCE with Microsoft Office or Word with specially crafted files.

Fortigate identified that the flaw is used by attackers in Windows Object Linking and Embedding (OLE) interface of Microsoft Office and gain control over the system.

Powerpoint Malware
Source : Fortinet

When the malicious file opened by the user it triggers ppt/slides/_rels/slide1.xml.rels and then it use to download remote code from hxxp://www[.]narrowbabwe[.]net:3345/exp[.]doc.The remote code developers include blank spaces to evade malware detection.

Also Read Exploit Windows Remote PC with EternalBlue & DoublePulsar Exploit through Metasploit

They observed that exploit to use to download the doc file and it consist of XMLand JavaScripts.The Java Script used to escalate Privilege and bypass UAC.The UAC bypass method involves hijacking the registry in HKCU\software\classes\mscfile\shell\open\command and then executing eventvwr.exe.

After decoding all the scripts it will read the following registry if it dosesn’t exists it will create them.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Seed0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Feed0

Then it looks for the network adapter configured to connect with C&C server HTTP POST to hxxp://www[.]narrowbabwe[.]net/comsary/index[.]php to connect and download the malicious payload to establish control over the machine.

Also Read Exploitation Framework for Embedded devices – RouterSploit

Solution From Fortinet

  • Apply the patches released by Microsoft in April that covers the CVE-2017-0199 vulnerability.
  • FortiGuard Antivirus service detects this threat as
  • MSOffice/Downloader!exploit.CVE20170199
  • FortiGuard Web Filtering service blocks all C&C and related URLs.
  • FortiSandbox rates the PPSX file as High Risk.

https://www.youtube.com/watch?v=zpfNf8JTSQM