Malicious PowerPoint files used to push remote access trojans


Level 37
Thread author
Top poster
Feb 4, 2016
Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans.

According to a report by Netskope’s Threat Labs shared with Bleeping Computer before publication, the actors are using PowerPoint files combined with legitimate cloud services that host the malware payloads.

The families deployed in the tracked campaign are Warzone (aka AveMaria) and AgentTesla, two powerful RATs and info-stealers that target many applications, while the researchers also noticed the dropping of cryptocurrency stealers.

Sliding malware into Windows devices​

The malicious PowerPoint phishing attachment contains obfuscated macro executed via a combination of PowerShell and MSHTA, both built-in Windows tools.

The VBS script is then de-obfuscated and adds new Windows registry entries for persistence, leading to the execution of two scripts. The first one fetches AgentTesla from an external URL, and the second disables Windows Defender.