Attackers are using under-the-radar PowerPoint files to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer.
Researchers have found that the method is one of a number of attacks being used by attackers. Desktop users have been targeted through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.
A “little-known add-on” in PowerPoint – the .ppam file – is being used to hide malware. Researchers said that the file has bonus commands and custom macros, among other functions. Beginning in January, attackers were observed delivering socially engineered emails that include .ppam file attachments with malicious intent.
One email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file – named PO04012022 to appear legitimate – included a malicious executable. The payload executed a number of functions on the end user’s machine that were not authorised by the user, including installing new programmes that create and open new processes, changing file attributes, and dynamically calling imported functions.
Researchers said: “By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company”. The campaign allows attackers to bypass a computer’s existing security – in this case, security provided by Google – with a file that’s rarely used and thus won’t trip an email scanner.
In October, reports first surfaced that attackers were using .ppam files to wrap ransomware and disguise malware.
The latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.
In November, reports surfaced that scammers were using a legitimate Google Drive collaboration feature to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.
This was followed up by a wave of phishing attacks that researchers identified in December. These mainly targeted Outlook users, using the “Comments” feature of Google Docs to send malicious links that also lifted credentials from victims. Threat actors didn’t stop there though, and were found creating accounts within the Adobe Cloud suite. Images and PDFs were sent that appear legitimate but instead deliver malware to Office 365 and Gmail users.
To avoid allowing email scams to slip past corporate users, we advise using the following: one is to install email protection that ensures all files received are inspected for malicious content. Another is to take extra security steps – such as dynamically analysing emails for indicators of compromise (IoCs) – to ensure the safety of messages coming into the corporate network.
Researchers said: “If an email fails a check, it is usually due to their being an insignificant historical reputation with the sender.” An email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.
A combination of email security and phishing awareness training can go along way to shoring up your business against these types of malware attacks, but they need to be part of a wider cyber security culture and strategy for optimal effect.