Malware

‘Fancy’ PowerPoint lure tests out macro-less attack

As more macros get blocked by default, hackers are messing with PowerPoint.
article cover

Gorodenkoff/Getty Images

· 3 min read

Even though slide decks are rarely interesting, hackers still consider PowerPoint a lure, and are tinkering with the different ways that the popular Office tool hides malware.

A September report from the cybersecurity company DuskRise revealed a PowerPoint attack that triggers when an end-user begins presentation mode and moves the mouse. The specific activation steps suggest that the group linked to the tactic—the Russian-based APT28, aka “Fancy Bear”—is experimenting beyond the traditional PowerPoint tactic of hiding macros.

“For the attackers, their old, reliable way of being able to gain code execution on the system has now drastically gone down. And so the PowerPoint mechanism is just one of many different ways that we see attackers trying to test out what’s going to be the next effective way and reliable way to get that code execution on the box,” said Jason Rebholz, CISO at Corvus Insurance.

Getting extra steps in. Malware-laden PowerPoints have been around almost as long as introductory slides with the message, “He who fails to plan is planning to fail.”

PowerPoint payloads were on the rise in 2021 and showed up again in February of this year to change Windows registry keys.

The traditional attack path: A spam email containing a malicious .ppt attachment is opened and sets off the malicious code.

The details revealed by DuskRise demonstrate a few extra steps: The mouse-hovering activates a PowerShell script that downloads and executes an extraction program, or dropper, from OneDrive. The dropper downloads a payload that injects Graphite into itself—which only sounds like being stabbed with a pencil. Graphite is malware that uses the Microsoft Graph API and OneDrive for command-and-control communications.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

But why go through the trouble of requiring a mouse-hover?

With legitimate user interactions (and legitimate system utilities like SyncAppvPublishingServer and well-known sites like OneDrive), an infection—and its roots—are challenging to analyze.

“It’s more difficult to detect in an automatic way,” said Michele Roviello, senior associate at Cluster25, DuskRise’s threat intelligence team.

Stop the PowerPoint! In addition to defenses like email gateways and endpoint detection and response (EDR), multifactor or passwordless authentication plays an important role in halting downloads of malicious attachments, Joy Chik, president of the identity and network access division at Microsoft, told IT Brew.

“I think everything starts with identity,” said Chik. “I think if you have a strong authentication, at least your credentials are not going to be spoofed.”

While a 2021 Microsoft patch prevents the exploit, URLs used in the attack were found by DuskRise’s telemetry in September and August of this year.

The findings arrive months after Microsoft announced it would disable macros by default—a raising of the bar, according to Rebholz, that has perhaps led to experimentation amongst hackers.

“It’s a much better version of your Trojanized document than some of these others. So, it’s possible they’re just trying to test that and see what the effectiveness is versus some of these other ways,” said Rebholz.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.