In a blog post by Trend Micro, they outline a new malware that abuses PowerPoint Slide Show. Per the article, the exploit arrives as a spear-phishing email attachment that drops a remote access tool. They believe the targeted attack involves the use of a sender address disguised as a legitimate email sent by a business partner. While the email itself mentions something about an order request, the user who receives this email will not find business documents attached, but rather a PPSX file that triggers a script that downloads a remote access tool to the machine.



Impressive that Trend Micro found this. Fortunately the article does state that Microsoft has patched this vulnerability in April, so up-to-date machines are safe from these attacks.

Ultimately, the use of a new method of attack is a practical consideration; since most detection methods for CVE-2017-0199 focuses on the RTF method of attack, the use of a new vector—PPSX files—allows attackers to evade antivirus detection.

Discussion

Source: [H]ardOCP – New Malware Abuses PowerPoint Slide Show