PPSX files are used for malicious payload dropping

London, UK – August 15, 2017 – Adversaries continue to exploit CVE-2017-0199 vulnerability to deliver Trojans and rootkits. Recently, unknown hackers conducted a campaign against the financial sector, in which they used malformed RTF files. Yesterday, researchers from Trend Micro reported a targeted attack on electronics manufacturing industry. Adversaries send spear-phishing emails with MS PowerPoint attachments. When the victim opens an attached file, it loads the “logo.doc” from the remote server and launches it using PowerPoint Show animation feature. Further, using CVE-2017-0199 vulnerability, a modified version of the REMCOS tool is downloaded from C&C server on the targeted system and executed. REMCOS tool is a legitimate utility that is used for remote access to a computer. Since adversaries use PowerPoint attachment for such attacks, antivirus protection may not respond to the attack.

To protect against this threat, you need to make sure that all MS Office updates are installed. CyberView will help you discover all hosts where critical updates are not installed. Also, you can find use cases for Splunk, QRadar and ArcSight in the S.M.A. cloud, which will help you detect modern threats and reduce content development cost for your SIEM tool.