The use of social engineering to grab attention of recipients and to deliver malware is not something novel. The latest trend in spreading malware is to manipulate a happening celebrity story, disaster or other high profile news event. The threat could be delivered as emails or poisoned search engine results which leads to malware. In the past, we have come across innumerableÂ incidents like Michael Jackson demise or Benazir Bhutto assassination used as an arena toÂ spread malware. Lately, we have observed an increase in the number of OLE files being used as targeted attacks against various high profile users.
The exploit and lure claims to contain information on the Pakistani Air Force and arrives via email as a PowerPoint document attachment. When an unsuspecting user having a vulnerable version of PowerPoint launches the document, the vulnerability is exploited and the malicious payload is executed.
The vulnerability is with a malformed record within PowerPoint which can be exploited to execute malicious code. The shellcode makes use of the Process Environment Block (PEB) approach to determine the kernel32.dll base address as shown in the figure below.
Upon executing the file in a vulnerable version of PowerPoint, the shellcode decrypts itself and executes the malicious binary.
The malicious PPT file is exploiting an older vulnerability which was patched by Microsoft in ms06-028 bulletin. This attack isÂ detected with the current DATS as Exploit-PPT.h and the dropped malicious executable is detected as BackDoor-EFB.