Skip to main content

This malware is another reason to dread PowerPoint presentations

Microsoft PowerPoint
(Image credit: Vladimka production / Shutterstock)

Researchers have identified a new malware distribution campaign that utilizes malicious macros concealed within Microsoft PowerPoint attachments.

According to security firm Trustwave, the rigged PowerPoint files are being distributed en masse via email and, once downloaded, set in motion a chain of events that ultimately lead to a LokiBot malware infection.

This mechanism in itself is not unusual, but the manner in which this particular scam evades detection caught the company’s eye. Namely, the way URLs are manipulated to conceal the final payload.

PowerPoint malware campaign

According to Trustwave, the series of domains used in this campaign to infect the target user were actually already known to host malicious content.

However, the hackers have leveraged URL manipulation techniques to conceal the dangerous domains, hoodwinking both the victim and any security filters that might be in place.

Specifically, the campaign abuses standard uniform resource identifier (URI) syntax to bamboozle antivirus services coded to guard against only URLs that follow a particular format.

Opening and closing the infected PowerPoint file activates the malicious macro, launching a URL via the Windows binary “mshta.exe.”, which itself redirects to a VBScript hosted on Pastebin, an online service for storing plain text.

This script contains a second URL, which writes a PowerShell downloader into the registry, triggering the download and execution of two further URLs - also from Pastebin.

One loads up a DLL injector, which is then used to infect the machine with a sample of LokiBot malware concealed within the final URL.

This process might appear excessively convoluted, but the layers of concealment and misdirection - coupled with URL-related sleight of hand - are what allows the attack to proceed unchecked.

To mitigate against this kind of threat, Trustwave has advised users to put in place a sophisticated anti-malware solution designed specifically to combat email-based threats and to interrogate all URLs for irregularities that might betray a scam.

TechRadar Pro has sought further clarification as to what users can do to identify dangerous URLs that have been manipulated as described above.

Update:

Ed Williams, EMEA Director of SpiderLabs at Trustwave, has since provided the following comment:

"Malicious actors are always using new and novel ways to entice users to click on links, and this is no exception. We would recommend that all external URLs are examined appropriately. This can be achieved through a Secure Email Gateway (SEG)."

"As well as the technical control, we would recommend that staff are given appropriate training such that they can spot and report emails/links that appear to be malicious in nature. The combination of people, process and technology increases the likelihood of an event not happening and increases cyber maturity through a mix of controls."