Threat authors are increasingly turning to Microsoft PowerPoint files to distribute different types of malware.
New research from Netskope has revealed that since the end of 2021, many hacker groups have started using legitimate cloud services to host PowerPoint files, which, by using the dreaded macros, can implement all sorts of nasty stuff into PowerPoint files. target devices.
Netskope says three families of malware dominate: Warzone (also known as AveMaria) and AgentTesla, both of which are powerful remote access Trojans (RATs) as well as cryptocurrency stealers.
Hijack the clipboard to steal bitcoins
The researchers claim that the PowerPoint file contains an obfuscated macro, which is executed by a combination of built-in Windows tools, PowerShell, and MSHTA.
Once executed, the VBS script creates a new Windows entry and runs two additional scripts, one that downloads AgentTesla, while the other disables Windows' built-in antivirus solution, Microsoft Defender.
While it's a known fact that AgentTesla steals browser passwords, keystrokes, clipboard contents, and the like, very little is known (and shared by Netskope) about Warzone.
The third payload is a cryptocurrency stealer, which scans the clipboard for data corresponding to a cryptocurrency wallet. If found, the next time the victim copies a cryptocurrency wallet, they will paste another one, belonging to the attackers.
Office macros have been the basis of malware distribution for years. It is a tool that allows Office files to contain embedded code, written in the Visual Basic for Applications (VBA) programming language. The code can contain multiple commands that can be recorded and played back later. Originally designed to help automate repetitive tasks, they have since been hijacked by criminals who misuse them to distribute malware.
It got to the point where Microsoft disabled Excel 4.0 macros by default to keep users safe.
Via: BleepingComputer