May hackers got bored of injecting simple viruses to steal data, as now they’re adding their interests too. Aside from being harmful, few hackers are trying new humorous ways of dumping malware. Latest finding by AppRiver discloses an attacker referencing Drake’s song lyrics in his malicious code while stealing data.

Infecting Via PowerPoint

Master X, is a new hacker who’s spreading his malware through PowerPoint files! His campaign begins with sending an email to hosts, mostly as an important business response to act on. The email, as depicted by AppRiver consisted of two PowerPoint files as Blank slip.pss and INVOO13433361.pss, and few convincing sentences compelling the victim to click on attachments.

Drake Lyrics Used in Malware Attack
Image By The Atlantic

Clicking on either of the files enables a visual basic script to run, which uses mshta.exe, a Microsoft HTML executable that reaches Bitly link shortener. All these are just to avoid being detected by general browser defences. Further, it uses a command-line task to kill actively running Excel and Word applications.

Then, a scheduled task is created for mshta.exe to communicate with Pastebin every 60 minutes. Pastebin is just a simple plain text sharing site from where mshta.exe gets an encoded script code which further retrieves a URL that decided what type of malware (Lokibot or Azorult) the compromised victim should receive.

Referencing To Lyrics

The code that’s received from Pastebin is then translated to a Powershell script that has reference to singer Drake’s song In My Feelings, particularly, Keke (Kiki) Do You Love Me. Further, the obfuscation of DownloadString inside the Powershell code is just another layer of going stealthy in his campaign.

At last, the Powershell script communicates with Paste.ee, another plain text sharing site, to download the malicious file Calc.exe infecting the system. So far, it’s yet to estimate how successful this malware is. But whatever, it’s both hidings greatly and humourous.

LEAVE A REPLY

Please enter your comment!
Please enter your name here