New PowerPoint Malware Method

Friday, June 9, 2017 @ 02:06 PM gHale

Inventive attackers are now able to have malware enter systems through a vulnerability in a link in a PowerPoint slideshow.

Right now, this spam program is focusing on the UK and other European companies in the manufacturing, device fabrication, education, logistics, and pyrotechnics industries.

Exploit Kit Details Discovered
Exploit Kit Learns Fingerprinting
Exploit Attacks Growing, More Effective
Workers Workaround Security Rules: Report

This attack might have been just a dry run to test the new technique, Trend Micro researchers said in a blog post.

The malware starts as a spam email disguised as an invoice or purchase order, with a malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS) file attached, the researchers said. PPS/PPSX files are unlike PowerPoint presentation files (PPT or PPTX) because they can later be edited; a PPS or PPSX file can be considered the final product, as it opens directly in presentation/slideshow mode.

Once the victim downloads and opens the file, user interaction is needed — hovering over the text or picture embedded with a malicious link (which triggers a mouse over action), and choosing to enable the content to run when prompted by a security notice pop-up, the researchers said. Microsoft disables the content of suspicious files by default — via Protected View for later versions of Office — to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE). A key ingredient in the infection chain is social engineering — luring the victim into opening the file and enabling the malware-laced content to run on the system.

Once the content is enabled, an embedded malicious PowerShell script is executed that downloads another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JScript Encoded File (JSE), which finally retrieves the payload from a command-and-control (C&C) server.

Users are recommended to use Protected View, which Microsoft enables by default, especially to documents downloaded from possibly unsafe locations, researchers said. Protected View provides a way for users to read the content of an unknown or suspicious file while significantly reducing chances of infection. For IT/system administrators and information security professionals, these threats can be mitigated by disabling these features on the machines through registry edits, or by implementing group policies that block user permissions from running them in the first place.

This entails enforcing the principle of least privilege — limiting root or administrator access to the machines. Another countermeasure is to adopt best practices for using and securing tools and services like PowerShell, which this Trojan downloader uses to retrieve and introduce additional malware into the system.

If functionalities such as macros and mouse hovers are necessary for the business process, enable them only in the application/software that uses them, or allow only signed/approved macros. However, these will not stop malware attacks that abuse features like macros and mouse hovers; a certificate that signs a macro, for instance, can be compromised. A multi-layered approach is key. For example, a sandbox that can quarantine and analyze suspicious attachments can be considered. Data categorization and network segmentation help limit exposure and damage to data.

Leave a Reply

You must be logged in to post a comment.