A PowerPoint add-on used to spread malicious files


According to findings from security firm Avanan, a PowerPoint add-on is being used to spread malicious files. Avanan’s Jeremy Fuchs said the .ppam file, which contains bonus commands and custom macros, is being used by hackers “to wrap executable files.” The company started seeing this attack vector in January, and notes that .ppam files are used to wrap executable files in a way that allows hackers to “take control of the end user’s computer. “. Most attacks are done through email.

“In this attack, the hackers show a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain functionality. However, this file actually embeds a malicious process that overwrites registry settings,” the security researcher explains.

“By using .ppam files, hackers can wrap, and therefore hide, malicious files. In this case, the file will overwrite Windows registry settings, allowing the attacker to take control of the computer and remain active by persistently residing in computer memory. Cybercriminals have found a way to bypass security tools due to the rarity of .ppam file usage. The researcher adds that this attack method could be used to spread ransomware, recalling an incident in October where a ransomware group used this type of file in an attack.

A plague for Microsoft

For Aaron Turner, vice president of SaaS posture at Vectra, the ubiquity of Microsoft’s collaboration suite makes it a favorite of attackers, and the latest PowerPoint attack is the latest example of more than 20 years of cunning exploits. distribution of Microsoft Office documents.

“For organizations that depend on Exchange Online for their email, they should review their anti-malware policies configured in their Microsoft 365 Defender portal. Alternatively, if there is a high risk of an attack that needs to be addressed outside of Defender policies, specific attachment file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy “, argues the leader.

“When we run our posture assessment scan against Exchange Online, we check the configured policy and compare it to our recommendation to block over 100 different file types. As a result of this research, we will be adding .ppam to our list of file extensions to block due to the relative obscurity and low usage of this particular PowerPoint file extension. »

Source: ZDNet.com





Source link -97