We discovered a malicious MS PowerPoint document that arrives via an attached file attached to specific email messages. The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player (CVE-2011-0611) to drop a backdoor onto users’ systems.
Users who open the malicious .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps”, tricking users into thinking that the malicious file is just your average presentation file. Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other, more menacing threats such as data stealing malware.
Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.EVL and the dropped backdoor file as BKDR_SIMBOT.EVL. Reports, as well as our own analysis, confirmed that this kind of malware has been used for targeted attacks in the past.
Recent threats are no longer limited to malicious files disguised as ordinary binaries (such as .EXE file) attached to emails. These specially crafted files can be embedded in commonly used files such as PDF, DOC, PPT or XLS files. In this particular scenario, users are unaware of the attack since TROJ_PPDROP.EVL also displays a non-malicious PowerPoint file to serve as a decoy.
Reliable Vulnerabilities: Effective Infection Gateways
This case also shows that cybercriminals are continuously taking advantage of previously reported vulnerabilities in popular software such as MS Office applications, Flash etc. In a previous blog entry, we uncovered that old and reported software bugs such as CVE-2010-3333 and CVE-2012-0158 are still being exploited by attackers. This finding highlights two things. First, exploits created for reliable vulnerabilities remain effective cybercriminal tools. Second, most users do not regularly update their systems’ with the latest security patch, which explains why attackers are continuously exploiting these bugs.
Trend Micro protects users from this threat via Smart Network Protection™, which blocks the related email and URLs and detects TROJ_PPDROP.EVL and BKDR_SIMBOT.EVL. In this new era where simple documents can lead to information theft, users should be extra cautious before downloading files from email messages, especially those from unknown senders. Users should also regularly keep their systems updated with the latest security patch.