PowerPoint Files Used to Push Remote Access Trojans (25th January 2022)

Ref# AL2022_04 | Date: Jan 25th 2022

Description

An Increasingly popular trend in phishing campaigns was uncovered in December 2021, that uses malicious PowerPoint files to administer remote access and information-stealing trojans. In this campaign, spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the macro executes to deliver remote access trojans. These spam emails are alleged to be related to financial transactions.

Summary

Threat actors are using PowerPoint documents paired with legitimate cloud services that host the malware payloads to deploy Trojans. The trojan families in the uncovered phishing campaign are tracked as Warzone also known as AveMaria and AgentTesla. These are two powerful RATs and password stealers that target many applications and even drop cryptocurrency stealers.

How it works

It was observed that the PowerPoint phishing attachment contains obscure macro executed by a combination PowerShell and Microsoft HTML Application (MSHTA) which are both tools built into windows.

After execution, the Visual Basic script (VBS) is then restored to readable form and adds new Windows Registry entries for continuance which then leads to the execution of two scripts. The first script fetches AgentTesla from an external URL and the second script disables Windows Defender. Adding to this, the VBS creates a scheduled task that executes a script every hour, which fetches a PowerShell cryptocurrency stealer from a Blogger URL.

Remediation

It is advised to delete unsolicited emails immediately upon reception. PowerPoint documents should be treated with extreme caution, as VBS macros can be as dangerous as their Excel counterparts.

Keep your Internet security shields up, your software up to date, your Microsoft Office macros disabled and handle all unsolicited communication with caution.

For tips on protecting your network and computers from malicious threat actors you can follow this URL: https://www.getsafeonline.gy/business/article-category/online-safety-and-security/

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: PowerPoint Files Used to Push Remote Access Trojans.pdf

References