Monday, November 25, 2024
HomeMalwarePowerPoint Slide Show Infected by New Malware that Exploiting Zero-day RCE...

PowerPoint Slide Show Infected by New Malware that Exploiting Zero-day RCE Vulnerability

Published on

New Malware that abuses MS Power point slide show by Exploiting the CVE-2017-0199 (Zero-day remote code execution vulnerability) flow Exists in Windows OLE (Object Linking and Embedding).

Malicious Rich Text File (RTF) documents used for Exploit this Vulnerability by using Microsoft Office interface to Deliver this Malware.

This Malware used by the same Method of DRIDEX Trojan that was integrated with Auto Bomb Technique.

- Advertisement - SIEM as a Service

Cyber security Firm Trend Micro Discover this Trojan as TROJ_CVE20170199.JVU through Phishing Main Campaign.

Malware Working Flow

Same as other Malware, spear-phishing email method is used for spreading this Trojan with attached Malicious PPSX file.

The attacker uses Fraudulent Email send address look like a legitimate Business partner that involved in the electronics manufacturing industry.

Zero-day

Malicious Email with Attached PPSX file

This Email seems to be an order request but it contains Attacked Malicious PPSX file.

It shows CVE-2017-8570 once the Powerpoint slide is opened, that is meant to be different Microsoft Vulnerability.But instead of that it actually Performing an Exploitation of Another Microsoft Vulnerability (CVE-2017-0199).

Once this Malware triggered in victims machine exploit runs the remote code at “http://192.166.218.230:3550/logo.doc” which is a VPN or hosting service that is abused by the attacker.
Zero-day
Image Source: Trend Micro

Abused VPN or Hosting IP

Later it will Download the Malicious logo.doc File from the Command & Control server

Zero-day
Image Source: Trend Micro

Malware Execution Road MAP

According to Trend Micro ,This logo.doc file is an XML format with Embedded JavaScript Code that will runs a PowerShell command to download and execute the file known as RATMAN.EXE .

The executable is actually a trojanized version of the REMCOS remote access tool (RAT) from the (C&C) server: http://192.166.218.230:3550/ratman[.]exe, which is located in Poland.

Finally RATMAN.EXE connect to the C&C Server(5.134.116.146:3550 ) for the Execution and allow the remote code to Execute into the victims machine.

REMCOS RAT Capability

REMCOS RAT is legitimate Remote Access tool that can help to control the system from anywhere is the World.

It can able to Execute the remote commands on the user’s system  Once REMCOS is executed.

The tool’s capabilities are quite comprehensive, and includes a download & execute command, a keylogger, a screen logger, and recorders for both webcam and microphone.Trend Micro said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...