Beware PowerPoint Files With Hidden Malware

Uploaded on 2022-02-07 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

There is an emerging trend in phishing campaigns that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. Attackers are using specially crafted socially engineered emails with .ppam file attachments that hide malware.

This is just the latest stealthy way that threat actors have been using to target desktop users through trusted applications. These weaponised PowerPoint files are able to hide malicious executable malware and the malware can rewrite Windows registry settings on targeted machines, leading to devastating attacks for victims

Beginning in January 2022, researchers have observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent. In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten.

This attack method has been discovered by Avanan, a Check Point company and their researchers stated that the malware allows an attacher to take over an end user’s computer. 

The phishing emails are able to evade security detections and appear legitimate, according to Avanan, who have  released a report detailing the campaign and confirming that the file contains bonus commands, custom macros, and other malicious functions. This campaign was first identified in January when researchers observed attackers delivering socially engineered emails including the PowerPoint file attachments with malicious intent. 

One of the emails observed in the campaign consisted of the attacker pretending to be sending the recipient a purchase order. Although the attached file appeared legitimate, it contained a malicious executable. This email failed a Sender Policy Framework (SPF) check and there was no significant history with the sender.

Attackers typically use email to deliver malicious files or links that steal user information. To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content.
  • Implement security that can dynamically analyse emails for indicators of compromise. 
  • Encourage end-users to contact IT fo security advice when opening an unfamiliar file.

This exploit is one of several new email-based campaigns recently uncovered to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud.

Avanan:    McAfee:       Oodaloop:     Threatpost:      Avanan:      Bleeping Computer:      Netskope:   

You Might Also Read: 

Auto-Redirects: A Harmful Detour:

 

« Spy Chief Warns US Government Is Classifying Too Much Data
The Cyber Skills Shortage Is Not Getting Any Better »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Latham & Watkins LLP

Latham & Watkins LLP

Latham & Watkins is an international law firm. Practice areas include Data Privacy, Security and Cybercrime.

CERT.GOV.AZ

CERT.GOV.AZ

Azerbaijan Government Computer Incident Response Team

Deep Identity

Deep Identity

Deep Identity provide solutions to address identity governance and administration (IGA), compliance management and data governance requirements.

Institute for Critical Infrastructure Technology (ICIT)

Institute for Critical Infrastructure Technology (ICIT)

ICIT is a leading cybersecurity think tank providing objective research, advisory, and education to legislative, commercial, and public-sector cybersecurity stakeholders.

Genua

Genua

Genua is a specialist in IT security services and solutions ranging from network and infrastructure security to encrypted comms and industrial automation.

Somansa

Somansa

Somansa is a global leader in Data Security and Compliance solutions designed to protect valuable company information from leakage and help meet regulatory compliance requirements.

Cyber Observer

Cyber Observer

Cyber Observer’s team specializes in providing corporate officers with comprehensive, visual, real-time performance overview, critical security control (CSC) analysis.

Safetica

Safetica

Safetica Technologies is a Czech software company that delivers data protection solutions for businesses of all types and sizes.

FirstPoint Mobile Guard

FirstPoint Mobile Guard

FirstPoint Mobile Guard has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Passbase

Passbase

Passbase is building a full-stack identity verification engine backed by verified government documents.

TechDemocracy

TechDemocracy

TechDemocracy are a trusted, global cyber risk assurance solutions provider whose DNA is rooted in cyber advisory, managed and implementation services.

Pentest Limited

Pentest Limited

Pentest Limited provide information security consultation, penetration testing & red teaming services to companies across the globe.

Fortiedge

Fortiedge

Fortiedge is an IT Security solution provider specializing in Cyber Security practices and solutions for our clients.

Immunefi

Immunefi

Immunefi provides bug bounty hosting, consultation, and program management services to blockchain and smart contract projects.

Omantel Innovation Labs

Omantel Innovation Labs

The Omantel Innovation Labs is a platform to enable startups and innovators to develop and commercialize solutions within selected technology verticals including cybersecurity.