Researchers from Netskopeโs Threat Labs have documented a PowerPoint-based information-stealing campaign, thatโs been in wild since late last year.
Threat actors here are seen dropping AgentTesla and Warzone RATs, the two powerful data-stealing trojans. Alongside, thereโs a cryptocurrency stealer too that researchers have spotted. Thus, they now warn people to be vigilant in clicking and processing suspicious PowerPoint files.
PowerPoint Files Dropping RATs
A publication shared by Netskopeโs Threat Labs has detailed a malicious campaign, that picked up pace in December 2021. As per their report, spam emails with PowerPoint files are being distributed in the wild, which come with remote access trojan (RAT) and legitimate cloud services.
In the first instance, thereโs AgentTesla, a powerful RAT is being distributed through PowerPoint phishing attachments. This file contains an obfuscated macro that used a combination of PowerShell and MSHTA for execution.
Thereโs also a function to disable the Windows Defender, that comes along with AgentTesla. Further, thereโs a scheduled task created by the VBS script, which runs every hour and fetches a cryptocurrency stealer from a Blogger URL.
In the second instance, thereโs another RAT named Warzone is being delivered. While Netskope hasnโt shared many details about this, they said a dedicated cryptocurrency stealer too is involved in this campaign, which observes the clipboard data of the victimโs system, and replaces the cryptocurrency wallet address with something that of hackerโs, when detected.
The supported cryptocurrency wallets are Bitcoin, Ethereum, XMR, DOGE, and more. The researchers at Netskope have shared the complete list of IoCs, and also mentioned the wallets used by the actors on this GitHub page for awareness.
Threat actors are also seen using legitimate cloud services, from which they can host and draw their malicious payloads. This method is followed since itโs less likely to raise flags by the security systems.