Researchers have identified a new malware distribution campaign that utilizes malicious macros concealed within Microsoft PowerPoint attachments.
According to security firm Trustwave, the rigged PowerPoint files are being distributed en masse via email and, once downloaded, set in motion a chain of events that ultimately lead to a LokiBot malware infection.
This mechanism in itself is not unusual, but the manner in which this particular scam evades detection caught the company’s eye. Namely, the way URLs are manipulated to conceal the final payload.
PowerPoint malware campaign
According to Trustwave, the series of domains used in this campaign to infect the target user were actually already known to host malicious content.
However, the hackers have leveraged URL manipulation techniques to conceal the dangerous domains, hoodwinking both the victim and any security filters that might be in place.
Specifically, the campaign abuses standard uniform resource identifier (URI) syntax to bamboozle antivirus services coded to guard against only URLs that follow a particular format.
Opening and closing the infected PowerPoint file activates the malicious macro, launching a URL via the Windows binary “mshta.exe.”, which itself redirects to a VBScript hosted on Pastebin, an online service for storing plain text.
This script contains a second URL, which writes a PowerShell downloader into the registry, triggering the download and execution of two further URLs – also from Pastebin.
One loads up a DLL injector, which is then used to infect the machine with a sample of LokiBot malware concealed within the final URL.
This process might appear excessively convoluted, but the layers of concealment and misdirection – coupled with URL-related sleight of hand – are what allows the attack to proceed unchecked.
To mitigate against this kind of threat, Trustwave has advised users to put in place a sophisticated anti-malware solution designed specifically to combat email-based threats and to interrogate all URLs for irregularities that might betray a scam.
TechRadar Pro has sought further clarification as to what users can do to identify dangerous URLs that have been manipulated as described above.