PowerPoint Files Abused to Take Over Computers

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
Content source
https://threatpost.com/powerpoint-abused-take-over-computers/178182/
Attackers are using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer, researchers have found.

It’s one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate. New research from Avanan, a Check Point company, has uncovered how a “little-known add-on” in PowerPoint – the .ppam file – is being used to hide malware. Jeremy Fuchs, cybersecurity researcher and analyst at Avanan, wrote in a report published Thursday that the file has bonus commands and custom macros, among other functions.

Beginning in January, researchers observed attackers delivering socially engineered emails that include .ppam file attachments with malicious intent.
Click to expand...
threatpost.com

PowerPoint Files Abused to Take Over Computers

Attackers are using socially engineered emails with .ppam file attachments that hide malware that can rewrite Windows registry settings on targeted machines.
threatpost.com threatpost.com
 
  • +Reputation
  • Like
Reactions: struppigel, Venustus, Gandalf_The_Grey and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
tday said:
Has Microsoft produced a patch yet for these attacks?
Click to expand...

PPAM file is the PowerPoint Add-in. So, it can have executable content (often a VBA macro) that is run by PowerPoint - this cannot be simply patched. The AVs can detect the attack by standard actions (using signatures, behavior-detections, AMSI, etc.). One can block the infection chain via HIPS, ASR, SRP, etc. You can also harden the MS Office application by:
  1. Disabling all Add-ins via Registry or GPO.
  2. Disabling VBA in MS Office via Registry or GPO.
  3. Disassociating the PPAM extension from PowerPoint.
  4. Applying Exploit protection mitigation related to child processes.
 
  • Like
  • +Reputation
Reactions: silversurfer, Gandalf_The_Grey, Venustus and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
Security News Microsoft Sway abused in massive QR code phishing campaign
Replies
0
Views
1,294
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
New 'Blank Image' attack hides phishing scripts in SVG files
Replies
1
Views
776
News Archive
Stopspying
Stopspying
upnorth
    • Wow
    • Like
    • +Reputation
Cyberattackers Spoof Google Translate in Unique Phishing Tactic
Replies
0
Views
775
News Archive
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top