July 08, 2017

Malicious actors are always on the hunt for new vulnerabilities to exploit in order to infect machines worldwide. While hunting for vulnerabilities is not an easy task, there are other infection vectors that cyber criminals can use to achieve a successful attack.

One might suggest that the best infection vector lies within a software feature rather than a bug, so by exploiting a feature in a widely used product one can cause a widespread infection below the radar. A fertile environment for such features include feature vulnerabilities that can be found within Microsoft Office’s products, as there exists several features that should not be present based on today’s security standards.

The following attack has been around since June 2017 and exploits this feature-vulnerability scheme.

The attack

Using spam mail to reach a widespread population, malicious actors send a PPSX (PowerPoint SlideShow) file to their victims. Once opened, the file features a single slide with the text “ Loading.. Please wait.”

Figure 1. The presentation as seen upon execution

This slide appears to be benign, but its true value, lies underneath. The text appears to be a link. However, as most employees have been warned about malicious links due to security concerns, they often know not to click on certain types of links they get.

In fact, most employees are being taught to “think before they click” and check where a link leads before clicking on it. In order to check, all one has to do is hover to see the referenced domain. While hovering on a link is often harmless on most occasions, in this case, it causes an infection to occur

PowerPoint allows its users to use 2 types of links: clickable and hover-able.

This link (which is not a link but an image) is a hover-able link and so far, has proved not to be a malicious one.

Figure 2. An image posing as a link

The feature-vulnerability here that PowerPoint uses, allows for a link to point to a URL, a specific slide, a macro function and to an external program.

It looks like this:

Figure 3. link options within PowerPoint

Notice the “program” the link points to. It’s a Powershell code that aims to download and execute a credential stealer. When a user checks the link, he hovers on the “link” and the Powershell code is executed within its given parameters.

If the user has, for some reason, disabled Protected View, he will become infected;if not, this is the prompt he will receive:

Figure 4. Protected view prompt alerting of a potential security concern

As this trick requires specific user interaction, by hovering and confirming security prompts, it is not likely that this kind of an attack will be detected by using a sandbox solution. While sandbox solutions protect organizations from a variety of attacks, they stands useless in this scenario, allowing the infected file into the organization.

Best Practices

We advise all users to use Protected View, which Microsoft enables by default, especially for documents downloaded from potentially unsafe locations. Protected View provides a way for users to read the content of an unknown or suspicious file while significantly reducing chances of infection.

Another approach to mitigate these types of attacks is to use Advanced CDR technology. Each document, along with its legitimate features and all other feature-vulnerabilities, is carefully examined and re-built from scratch, eliminating any non standard or malicious attributes, values, and OLE objects without requiring any signature or learning.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy