Beware PowerPoint Files With Hidden Malware

There is an emerging trend in phishing campaigns that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans. Attackers are using specially crafted socially engineered emails with .ppam file attachments that hide malware.

This is just the latest stealthy way that threat actors have been using to target desktop users through trusted applications. These weaponised PowerPoint files are able to hide malicious executable malware and the malware can rewrite Windows registry settings on targeted machines, leading to devastating attacks for victims

Beginning in January 2022, researchers have observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent. In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten.

This attack method has been discovered by Avanan, a Check Point company and their researchers stated that the malware allows an attacher to take over an end user’s computer. 

The phishing emails are able to evade security detections and appear legitimate, according to Avanan, who have  released a report detailing the campaign and confirming that the file contains bonus commands, custom macros, and other malicious functions. This campaign was first identified in January when researchers observed attackers delivering socially engineered emails including the PowerPoint file attachments with malicious intent. 

One of the emails observed in the campaign consisted of the attacker pretending to be sending the recipient a purchase order. Although the attached file appeared legitimate, it contained a malicious executable. This email failed a Sender Policy Framework (SPF) check and there was no significant history with the sender.

Attackers typically use email to deliver malicious files or links that steal user information. To guard against these attacks, security professionals can do the following:

  • Implement protection that downloads all files in a sandbox and inspects them for malicious content.
  • Implement security that can dynamically analyse emails for indicators of compromise. 
  • Encourage end-users to contact IT fo security advice when opening an unfamiliar file.

This exploit is one of several new email-based campaigns recently uncovered to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud.

Avanan:    McAfee:       Oodaloop:     Threatpost:      Avanan:      Bleeping Computer:      Netskope:   

You Might Also Read: 

Auto-Redirects: A Harmful Detour:

 

« Spy Chief Warns US Government Is Classifying Too Much Data
The Cyber Skills Shortage Is Not Getting Any Better »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Eversheds Sutherland

Eversheds Sutherland

Eversheds Sutherland is a global multinational law practice offering a full range of commercial and IT law services including Privacy, Data Protection and Cyersecurity.

e-Governance Academy (eGA)

e-Governance Academy (eGA)

eGA is a think tank and consultancy founded for the transfer of knowledge and best practice in e-governance, e-democracy and national cyber security.

NPCore

NPCore

NPCore is specialized in defense solution against unknown APT and Ransomware and provides two-level defense on network and endpoint based on behavior.

CYBERSEC Forum

CYBERSEC Forum

CYBERSEC Forum is an annual European Public Policy Conference dedicated to strategic aspects of cybersecurity.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Advisera 27001Academy

Advisera 27001Academy

Advisera is a market leader in providing documentation and online support for the implementation of business standards including ISO 27001, ISO 22301 and EU GDPR.

XPO IT Services

XPO IT Services

XPO IT Services are dedicated to providing secure, high quality IT recycling and asset disposal services.

SmartContractAudits.com

SmartContractAudits.com

SmartContractAudits.com is the leading platform for finding companies providing smart contract auditing services.

BwCIRT

BwCIRT

BwCIRT is the Computer Incident Response Team (CIRT) for Botswana and provides an official point of contact for dealing with computer security incidents.

Sum&Substance (Sumsub)

Sum&Substance (Sumsub)

Sum&Substance is a developer of remote verification solutions. Our technology allows online services around the world to meet regulatory requirements, prevent fraud and enhance customer confidence.

Y-PARC

Y-PARC

Y-PARC is a center of excellence for cybersecurity, precision industries and medtech, fostering innovation and development and support for startups.

MOXFIVE

MOXFIVE

MOXFIVE is a specialized technical advisory firm founded to bring clarity to the complexity of cyber attacks.

Nucleus Security

Nucleus Security

Nucleus is a leading Vulnerability Management platform for Large Enterprises, MSPs/MSSPs, and Application Security Teams that want more from their vulnerability management tools.

CyBourn

CyBourn

Cybourn's diverse offerings include engineering, analysis, product development, assessment, and advisory services in the cybersecurity space.

Metrics that Matter (MTM)

Metrics that Matter (MTM)

Metrics that Matter redefines how organizations approach cybersecurity by offering unprecedented insight into the value of their assets to criminals and tailored action plans to protect.

Sherweb

Sherweb

Sherweb are a marketplace of leading cloud solutions and value-added services delivered by a team of passionate experts invested in MSP growth.