A new 0-day malware leveraging on a vulnerability found in Microsoft PowerPoint is making rounds. Distributed as attachment to spam messages, specially crafted PowerPoint files are used for exploitation, which would grant cybercriminals access into the affected user’s system.
The aforementioned files containing the exploit are detected by Trend Micro as TROJ_PPDROP.AB. According to the analysis of Trend Micro Researcher Michael Cortes, upon successful exploitation, TROJ_PPDROP.AB drops the following files in the affected system’s temporary folder:
TROJ_KUPS.F terminates processes commonly associated with Adobe Reader if found on the system. It also deletes certain registry entries then overwrites the original PowerPoint file with a normal file then executes it, making the user believe that the executed file is non-malicious. It then deletes itself after executing its routines.
On the other hand, BKDR_KUPS.F checks for Internet connection on the affected system by attempting to connect to www.download.windowsupdate.com. Once connection is verified it then connects to a certain IP address to communicate and wait for further commands. It is reported capable of executing the following commands:
- send information such as computer name, IP address and OS version.
- perform a directory search
- list down the contents of the compromised system.
- download an updated copy of itself or another malware
Microsoft already released a security advisory for the vulnerability, and hopefully a fix for it will be available soon. Meanwhile, users are now protected from this threat through the Trend Micro Smart Protection Network.