A malicious MS PowerPoint document that arrives via an attached file to specific email messages is now making the rounds.
The file contains an embedded Flash file, which exploits a software bug found in specific versions of Flash Player that can drop a backdoor onto users’ systems, said researchers at Trend Micro.
Users who open the malicious .PPT file triggers the shellcode within the Flash file that exploits CVE-2011-0611, and then drops “Winword.tmp” in the Temp folder. Simultaneously, it also drops a non-malicious PowerPoint presentation file “Powerpoint.pps,” tricking users into thinking that the malicious file is just your average presentation file.
Based on our analysis, “Winword.tmp” is a backdoor that connects to remote sites to communicate with a possible malicious user. It is also capable of downloading and executing other malware leaving infected systems susceptible to other threats such as data stealing malware.
Trend Micro detected the malicious PowerPoint file as TROJ_PPDROP.EVL and the dropped backdoor file as BKDR_SIMBOT.EVL. This malware has seen use before for targeted attacks.
Recent threats are no longer limited to malicious files disguised as ordinary binaries (such as .EXE file) attached to emails. These specially crafted files can embed in commonly used files such as PDF, DOC, PPT or XLS files. In this particular scenario, users are unaware of the attack since TROJ_PPDROP.EVL also displays a non-malicious PowerPoint file to serve as a decoy.
This case also shows cybercriminals are continuously taking advantage of previously reported vulnerabilities in popular software such as MS Office applications and Flash.
Trend Micro researchers found attackers are still exploiting old bugs. This finding highlights that exploits created for reliable vulnerabilities remain effective cybercriminal tools and most users do not regularly update their systems with the latest security patch, which explains why attackers are continuously exploiting these bugs.