Cyber criminals exploit PowerPoint vulnerability to install remote access Trojan

Table of Contents

While some people are creating boring presentations using PowerPoint and are preparing for an important meeting, cyber criminals are looking for other ways how they can use this Microsoft Office product. Recently attackers were noticed exploiting a vulnerability in the Windows Object Linking Embedding (OLE).[1] Probably, the majority of users have already heard and learned the lesson about dangers that might be hiding in MS Word[2] and Excel[3] files attached in the strange emails. Now, it’s time to talk more about new malware distribution method via PowerPoint.

PowerPoint exploit allows launching cyber attacks

Malicious emails now have a new dangerous attachment

The malicious PPSX file spreads via spam emails. Undoubtedly, there are numerous different messages attacking computer users all over the world. Currently, researchers noticed the biggest campaign that can be recognized by this subject line “RFQ & Specifications on Large Order.” Thus, criminals pretend to be from a cable manufacturing company:

 Hello All

Please find the specified order and. It’s Consignee’s name and address for the booked orders that you will do its shipping.

Please kindly notify if you can supply the items listed. your lowest prices and also ETD please quote F0B and CIF prices


Thanks & Regards

G.M. (Purchasing Manager)


As you can probably understand from the content, this phishing campaign mostly aims at electronics manufacturing business. Thus, this email is not expected to show up in your personal inbox. For this reason, companies are advised to educate and remind employees to be careful with email attachments because attackers might use the name of legit companies and real business partners.

Modus operandi of the attack

The example of PowerPoint exploit

According to the Trend Micro,[4] attackers were able to execute a zero-day remote code execution vulnerability (CVE-2017-0199) in OLE interface of Microsoft Office products. The malware was originally executed using an infected Rich Text File (RTF) documents.

However, this time criminals found a new way to exploit this flaw using PowerPoint Slide Show that is attached to the malicious email. When a user opens it, they see just one slide with a code “CVE-2017-8570” that is the name of MS Office vulnerability. However, in reality, attackers exploit CVE-2017-0199 flaw.

Thus, when a victim opens an obfuscated PowerPoint document, the file triggers a script and runs the remote code. If the vulnerability is successfully exploited, it downloads the logo.doc file. However, it’s a camouflaged XML file that includes malicious JavaScript code that is designed to download and execute RATMAN.EXE – a remote access Trojan.

Trojan horse gives cyber criminals full access to the infected computer

As you can see, attackers use PowerPoint vulnerability to install a Trojan on the computer. This remote access Trojan horse can:

  • download and execute commands,
  • capture screenshots,
  • record videos,
  • use webcam and microphone,
  • record screenshots,
  • download other malware.

In other words, the Trojan allows cyber criminals to get full control over victim’s computer. Therefore, they can do anything, from installing ransomware that demands to pay thousands of dollars for data recovery to stealing personal information. Therefore, one accidental click on a safely looking PowerPoint slide might end up with money or data loss.

What should we do about PowerPoint exploit?

Identification of a phishing email is the most important security tip

The good news is that this PowerPoint exploit is fixed. Microsoft addressed this problem in April. Therefore, users who regularly update and patch their OS, should not worry about these attacks. However, not all of Windows users follow this crucial security tip and use outdated or unpatched OS and software.

Therefore, if it’s been a while since you patched your Windows, it’s time to do that. We want to remind that keeping system up-to-date helps to minimise the risk of cyber attacks. Undoubtedly, cyber criminals are always looking for a new ways and vulnerabilities to use for their evil tasks.

This spam campaign is one of the examples how cyber criminals target specific business or industries with customized scams. Indeed, it’s a clever strategy that might help to launch more successful attacks.

However, if you are not sure how to identify malicious email, here are the main signs that you should look up for:[5]

  1. Grammar, spelling or use of English mistakes. Representatives and companies rarely leave errors in the emails. Thus, you should always have in mind that cyber criminals might be good at programming, but grammar is definitely not their strength. The transcript of this recent hoax is a clear evidence.
  2. Strange email address. If you receive a letter from a company that has a beginning similar to johnjonhson987 and the ending @gmail.com, it’s a clear sign of a scam.
  3. Name check. Does the sender exist? Is it working in the company? Google knows answers to these questions. Check them!
  4. Links and attachments. Typically, potential victims are urged to click provided content as soon as possible. But you should not rush until you do your homework and make sure that the file/link is safe.