Criminals are using the Windows Object Linking Interface in Powerpoint to install malware

https://www.onmsft.com/wp-content/uploads/2017/08/PowerPoint-978x580.png

Cyber criminals are using Microsoft PowerPoint to install malware. The Windows Object Linking Embedding (OLE) interface is the technology that allows exporting part of a document with a different editing application than the original. According to a report from Trend Micro (via Neowin), users are exploiting the use with PowerPoint slideshows.

These PowerPoint slideshows come in the form of an email and in the more recent cases, Neowin mentions that they come as attachments labeled shipping details. On closer inspection, the PPSX file from PowerPoint is just a playback  of the slideshow and opening it displays ‘CVE-2017-8570’.

But what’s happening behind the scenes is the problem. The CVE-2017-0199 Remove Code Execution vulnerability will open up to the exploit and run a process to download ‘logo.doc’ to the user’s computer. That document then runs a command to download ‘RATMAN.exe’ which can make a connection to a Command and Control server.

Tags: