New Netskope research found that since the end of 2021, numerous hacking groups started using legitimate cloud services to host PowerPoint files which, with the help of the dreaded macros, can deploy all kinds of nasties into target devices.
Netskope says that three families of malware dominate: Warzone (aka AveMaria), and AgentTesla - both of which are powerful Remote Access Trojans (RAT), as well as cryptocurrency stealers.
Hijacking the clipboard to steal bitcoin
The researchers claim the PowerPoint file carries with it an obfuscated macro, that gets executed by a combination of built-in Windows tools, PowerShell, and MSHTA.
Once executed, the VBS script creates a new Windows entry, and executes two additional scripts, one that downloads AgentTesla, while the other one disables the Windows built-in antivirus solution, Microsoft Defender.
While it’s a known fact that AgentTesla steals browser passwords, keystrokes, clipboard contents, and similar data, very little is known (and shared by Netskope) about Warzone.
The third payload is a cryptocurrency stealer, which scans the clipboard for data that matches a cryptocurrency wallet. If it finds it, the next time the victim copies a cryptocurrency wallet, it will paste a different one, belonging to the attackers.
Office macros have been the staple of malware distribution for ages. They’re a tool which allows Office files to contain embedded code, written in the Visual Basic for Applications (VBA) programming language. The code can hold multiple commands that can be recorded and replayed later. Initially designed to help automate repetitive tasks, they’ve since been hijacked by criminals abusing them to distribute malware.
It has gotten to the point where Microsoft disabled Excel 4.0 macros by default to keep the users safe.
- Here's our list of the best firewall tools right now