Beware PowerPoint Files With Hidden Malware

Uploaded on 2022-02-07 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

There is an emerging trend in phishing campaigns that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. Attackers are using specially crafted socially engineered emails with .ppam file attachments that hide malware.

This is just the latest stealthy way that threat actors have been using to target desktop users through trusted applications. These weaponised PowerPoint files are able to hide malicious executable malware and the malware can rewrite Windows registry settings on targeted machines, leading to devastating attacks for victims

Beginning in January 2022, researchers have observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent. In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten.

This attack method has been discovered by Avanan, a Check Point company and their researchers stated that the malware allows an attacher to take over an end user’s computer. 

The phishing emails are able to evade security detections and appear legitimate, according to Avanan, who have  released a report detailing the campaign and confirming that the file contains bonus commands, custom macros, and other malicious functions. This campaign was first identified in January when researchers observed attackers delivering socially engineered emails including the PowerPoint file attachments with malicious intent. 

One of the emails observed in the campaign consisted of the attacker pretending to be sending the recipient a purchase order. Although the attached file appeared legitimate, it contained a malicious executable. This email failed a Sender Policy Framework (SPF) check and there was no significant history with the sender.

Attackers typically use email to deliver malicious files or links that steal user information. To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content.
  • Implement security that can dynamically analyse emails for indicators of compromise. 
  • Encourage end-users to contact IT fo security advice when opening an unfamiliar file.

This exploit is one of several new email-based campaigns recently uncovered to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud.

Avanan:    McAfee:       Oodaloop:     Threatpost:      Avanan:      Bleeping Computer:      Netskope:   

You Might Also Read: 

Auto-Redirects: A Harmful Detour:

 

« Spy Chief Warns US Government Is Classifying Too Much Data
The Cyber Skills Shortage Is Not Getting Any Better »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

SteelCloud

SteelCloud

SteelCloud has spent the last decade inventing technology to automate policy compliance, configuration control, and Cloud security.

Omada

Omada

Omada is a leading provider of IT security solutions and services for identity management and access governance.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

IT Career Switch

IT Career Switch

An IT Career Switch Traineeship is the easiest way to start a new career in IT or Cybersecurity with fantastic career prospects.

CybExer Technologies

CybExer Technologies

CybExer provide an on-premise, easily deployable solution for complex technical cyber security exercises based on experience in military grade ranges.

JobStreet.com

JobStreet.com

JobStreet is one of Asia’s leading online employment marketplaces in Malaysia, Philippines, Singapore, Indonesia and Vietnam.

ITsMine

ITsMine

ITsMine’s Beyond DLP solution is a leading Data Loss Prevention solution used by organizations to protect against internal and external threats automatically.

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startup Association (ROTSA)

Romanian Tech Startups Association is an umbrella organization that aims to promote, support and represent the interests of tech startups in Romania.

Cipher Net Shield

Cipher Net Shield

Cipher Net Shield specializes in secure E-wallet solutions with a strong focus on blockchain and cybersecurity, prioritizing both transaction security and the recovery of lost capital.

ScamAdvisor

ScamAdvisor

ScamAdviser helps over 3 million consumers every month to discover if a website is legitimate or a possible scam.

Phone Monitoring Service

Phone Monitoring Service

Phone Monitoring Service provides cyber security services, ethical hacking services, social media hacking services in the USA, Canada, Europe.

Frenos

Frenos

The Frenos Platform helps enterprises understand their most probable attack paths while highlighting the most effective risk mitigations to deter and defend against today’s adversaries.

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (LHC)

Luxembourg House of Cybersecurity (formerly SecurityMadeIn.lu) is the backbone of leading-edge cyber resilience in Luxembourg.

Digital & Intelligence Service (DIS)

Digital & Intelligence Service (DIS)

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.