Security: This malware is one more reason to dread PowerPoint presentations

Security: This malware is one more reason to dread PowerPoint presentations



Hackers are distributing rigged PowerPoint files via email

(Image credit: Vladimka production / Shutterstock)

Researchers have identified a replacement malware distribution campaign that utilizes malicious macros concealed within Microsoft PowerPoint attachments.


According to security firm Trustwave, the rigged PowerPoint files are being distributed en bloc via email and, once downloaded, set in motion a sequence of events that ultimately cause a LokiBot malware infection.

This mechanism in itself isn't unusual, but the way during which this particular scam evades detection caught the company’s eye. Namely, the way URLs are manipulated to hide the ultimate payload.

PowerPoint malware campaign

According to Trustwave, the series of domains utilized in this campaign to infect the target user were actually already known to host malicious content.

However, the hackers have leveraged URL manipulation techniques to hide the damaging domains, hoodwinking both the victim and any security filters which may be in situ .

Specifically, the campaign abuses standard uniform resource identifier (URI) syntax to bamboozle antivirus services coded to protect against only URLs that follow a specific format.

Opening and shutting the infected PowerPoint file activates the malicious macro, launching a URL via the Windows binary “mshta.exe.”, which itself redirects to a VBScript hosted on Pastebin, a web service for storing plain text.

This script contains a second URL, which writes a PowerShell downloader into the registry, triggering the download and execution of two further URLs - also from Pastebin.

One loads up a DLL injector, which is then wont to infect the machine with a sample of LokiBot malware concealed within the ultimate URL.

This process might appear excessively convoluted, but the layers of concealment and misdirection - including URL-related sleight of hand - are what allows the attack to proceed unchecked.


To mitigate against this type of threat, Trustwave has advised users to place in situ a classy anti-malware solution designed specifically to combat email-based threats and to interrogate all URLs for irregularities which may betray a scam.

TechRadar Pro has sought further clarification on what users can do to spot dangerous URLs that are manipulated as described above.



Post a Comment

0 Comments