Beware PowerPoint Files With Hidden Malware

There is an emerging trend in phishing campaigns that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. Attackers are using specially crafted socially engineered emails with .ppam file attachments that hide malware.

This is just the latest stealthy way that threat actors have been using to target desktop users through trusted applications. These weaponised PowerPoint files are able to hide malicious executable malware and the malware can rewrite Windows registry settings on targeted machines, leading to devastating attacks for victims

Beginning in January 2022, researchers have observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent. In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten.

This attack method has been discovered by Avanan, a Check Point company and their researchers stated that the malware allows an attacher to take over an end user’s computer. 

The phishing emails are able to evade security detections and appear legitimate, according to Avanan, who have  released a report detailing the campaign and confirming that the file contains bonus commands, custom macros, and other malicious functions. This campaign was first identified in January when researchers observed attackers delivering socially engineered emails including the PowerPoint file attachments with malicious intent. 

One of the emails observed in the campaign consisted of the attacker pretending to be sending the recipient a purchase order. Although the attached file appeared legitimate, it contained a malicious executable. This email failed a Sender Policy Framework (SPF) check and there was no significant history with the sender.

Attackers typically use email to deliver malicious files or links that steal user information. To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content.
  • Implement security that can dynamically analyse emails for indicators of compromise. 
  • Encourage end-users to contact IT fo security advice when opening an unfamiliar file.

This exploit is one of several new email-based campaigns recently uncovered to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud.

Avanan:    McAfee:       Oodaloop:     Threatpost:      Avanan:      Bleeping Computer:      Netskope:   

You Might Also Read: 

Auto-Redirects: A Harmful Detour:

 

« Spy Chief Warns US Government Is Classifying Too Much Data
The Cyber Skills Shortage Is Not Getting Any Better »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

Parasoft

Parasoft

Parasoft is an independent software testing and software quality assurance tool and solution vendor.

CIRCL

CIRCL

CIRCL is the national Computer Incident Response Center of Luxembourg

Government Communications Headquarters (GCHQ)

Government Communications Headquarters (GCHQ)

GCHQ defends Government systems from cyber threat, provide support to the Armed Forces and strive to keep the public safe, in real life and online.

ManagedMethods

ManagedMethods

ManageMethods Cloud Access Monitor is the only Cloud Access Security Broker (CASB) that can be deployed in minutes, with no special training, and with no impact on users or networks.

GuardiCore

GuardiCore

GuardiCore is an innovator in internal data center security and breach detection and is transforming security inside data centers and clouds.

Sqreen

Sqreen

Sqreen is a web application security monitoring and protection solution helping companies protect their apps and users from attacks.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Cybeats Technologies

Cybeats Technologies

Cybeats delivers an integrated security platform designed to secure and protect high-valued connected devices.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

Wayra

Wayra

Wayra connects Telefónica and technological disruptors around the world. As their preferred strategic partner, we scale them up to accelerate their business and ours.

Wabbi

Wabbi

Wabbi’s continuous security platform centralizes, automates and orchestrates security governance and vulnerability management to empower development teams to own appsec.

Northrop Grumman

Northrop Grumman

Northrop Grumman is a global provider and integrator of complex, advanced and rapidly adapting information technology, cybersecurity, mobility and optimized services and solutions.

Verizon

Verizon

Verizon is a leader in IT technology solutions - Verizon Cloud, Networking, Security, Mobility, Machine-to-Machine (M2M), Advanced Communications and Professional Services.

Fairdinkum Consulting

Fairdinkum Consulting

Fairdinkum is a leading full-service IT consulting firm with more than two decades of experience in the industry.

FastPassCorp

FastPassCorp

In the world of IT, identity theft is a growing concern. FastPass offers an innovative solution as a cloud or on-premises offering.