PowerPoint, Microsoft’s famous presentation software, is again a victim of piracy. According to computer security researchers at Netskope, hackers are currently using PowerPoint documents to spread malware like trojans and cryptocurrency thieves.
For several years now, PowerPoint has become a prime target for hackers. Examples abound. Already in 2017, hackers were using PowerPoint to infiltrate users’ PCs, thanks to the exploitation of a security flaw. Another vulnerability in Microsoft Office had allowed attackers the same year to target users of Word, PowerPoint or Excel.
And as we learn from computer security researchers at Netskope, this use of PowerPoint by hackers is not ready to stop. Since the end of 2021, many hacker groups have started to use legitimate cloud services to host malicious PowerPoint files. With the help of dreadful macros, attackers can deploy all kinds of malware on targeted devices.
Also Read: This Extremely Dangerous Malware Can Survive Disk Formatting
PowerPoint hijacked to empty your digital portfolio
According to the research of these experts, three malware families currently dominate : Warzone and Agent Tesla, which are both powerful Remote Access Trojans (RATs), and cryptocurrency thieves. The researchers claim that the PowerPoint file contains an obfuscated macro, the execution of which is launched by a combination of built-in Windows tools, PowerShell and MSHTA (ndrl: a component of Windows that allows reading extension files).
Once launched, the VBS script creates a new entry in Windows and runs two other scripts. The first one downloads AgentTesla, while the other disables Windows built-in antivirus solution, namely Microsoft Defender. If we know that Agent Tesla is used to steal passwords entered from a browser, keystrokes or the contents of the clipboard, we know very little about the actions of Warzone.
As for the 3rd payload, it is a cryptocurrency thief, which will first analyze your clipboard in search of identifiers and codes related to a digital wallet. Once this data is found, hackers replace them with codes from their own digital wallet. In fact, the victim can very well transfer funds directly to the attackers, without realizing it. The situation is so critical that Microsoft has chosen to disable Excel 4.0 macros by default to protect users.
Source: TechRadar