Criminals are using the Windows Object Linking Interface in Powerpoint to install malware

Kit McDonald

Cyber criminals are using Microsoft PowerPoint to install malware. The Windows Object Linking Embedding (OLE) interface is the technology that allows exporting part of a document with a different editing application than the original. According to a report from Trend Micro (via Neowin), users are exploiting the use with PowerPoint slideshows.

These PowerPoint slideshows come in the form of an email and in the more recent cases, Neowin mentions that they come as attachments labeled shipping details. On closer inspection, the PPSX file from PowerPoint is just a playback  of the slideshow and opening it displays ‘CVE-2017-8570’.

But what’s happening behind the scenes is the problem. The CVE-2017-0199 Remove Code Execution vulnerability will open up to the exploit and run a process to download ‘logo.doc’ to the user’s computer. That document then runs a command to download ‘RATMAN.exe’ which can make a connection to a Command and Control server.

In short, computers infected can have their privacy invaded easily. It records keystrokes, screenshots, video, and audio, and more. And as the ‘RATMAN.exe’ is a remote control tool, it can also completely control your PC without you knowing it.

The best way to avoid the malware altogether is to be safer about downloading any attachments from unknown senders. Even if it’s from someone you know, it’s better to be safe than sorry.