This malware is another reason to dread PowerPoint presentations

Microsoft PowerPoint
(Image credit: Vladimka production / Shutterstock)

Researchers have identified a new malware distribution campaign that utilizes malicious macros concealed within Microsoft PowerPoint attachments.

According to security firm Trustwave, the rigged PowerPoint files are being distributed en masse via email and, once downloaded, set in motion a chain of events that ultimately lead to a LokiBot malware infection.

This mechanism in itself is not unusual, but the manner in which this particular scam evades detection caught the company’s eye. Namely, the way URLs are manipulated to conceal the final payload.

PowerPoint malware campaign

According to Trustwave, the series of domains used in this campaign to infect the target user were actually already known to host malicious content.

However, the hackers have leveraged URL manipulation techniques to conceal the dangerous domains, hoodwinking both the victim and any security filters that might be in place.

Specifically, the campaign abuses standard uniform resource identifier (URI) syntax to bamboozle antivirus services coded to guard against only URLs that follow a particular format.

Opening and closing the infected PowerPoint file activates the malicious macro, launching a URL via the Windows binary “mshta.exe.”, which itself redirects to a VBScript hosted on Pastebin, an online service for storing plain text.

This script contains a second URL, which writes a PowerShell downloader into the registry, triggering the download and execution of two further URLs - also from Pastebin.

One loads up a DLL injector, which is then used to infect the machine with a sample of LokiBot malware concealed within the final URL.

This process might appear excessively convoluted, but the layers of concealment and misdirection - coupled with URL-related sleight of hand - are what allows the attack to proceed unchecked.

To mitigate against this kind of threat, Trustwave has advised users to put in place a sophisticated anti-malware solution designed specifically to combat email-based threats and to interrogate all URLs for irregularities that might betray a scam.

TechRadar Pro has sought further clarification as to what users can do to identify dangerous URLs that have been manipulated as described above.

Update:

Ed Williams, EMEA Director of SpiderLabs at Trustwave, has since provided the following comment:

"Malicious actors are always using new and novel ways to entice users to click on links, and this is no exception. We would recommend that all external URLs are examined appropriately. This can be achieved through a Secure Email Gateway (SEG)."

"As well as the technical control, we would recommend that staff are given appropriate training such that they can spot and report emails/links that appear to be malicious in nature. The combination of people, process and technology increases the likelihood of an event not happening and increases cyber maturity through a mix of controls."

TOPICS
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Latest in News
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
An image of the Nintendo Switch 2
Nintendo Switch 2 could have AI upscaling similar to PS5 Pro’s PSSR according to patent, and it could be a gamechanger for graphics on the upcoming console
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 18 (game #380)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 18 (game #646)