Cyber threat actors are now using socially engineered emails with .ppam file attachments that hide malware that can rewrite Windows registry settings on targeted machines to take over an end user’s computer, researchers have found. It is one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.
New research from Avanan https://avanan.com has uncovered how a “little-known add-on” in PowerPoint the .ppam file is being used to hide malware. Jeremy Fuchs, cybersecurity researcher, and analyst at Avanan wrote in a report published this month that the file has bonus commands and custom macros, among other functions.
Beginning in January 2022, researchers observed attackers delivering socially-engineered emails that include .ppam file attachments with malicious intent. One email observed in the campaign, for example, purported to be sending the recipient a purchase order. The attached .ppam file – named PO04012022 to appear legitimate – included a malicious executable, Fuchs said.
Malicious email posing as a standard purchase order. Source: Avanan
The payload executed a number of functions on the end user’s machine that was not authorized by the user, including installing new programs that create and open new processes, changing file attributes, and dynamically calling imported functions. “By combining the potential urgency of a purchase order email, along with a dangerous file, this attack packs a one-two punch that can devastate an end-user and a company,” Fuchs wrote.
The campaign allows attackers to bypass a computer’s existing security in this case, security provided by Google with a file that is rarely used and thus will not trip an email scanner, he said. “Plus, it shows the potential dangers of this file, as it can be used to wrap any sort of malicious file, including ransomware,” Fuchs reported.
During October 2021, investigators reported that attackers were using .ppam files to wrap ransomware, he said, citing a report on the Ppam ransomware published in October by the cybersecurity portal PC risk. The latest scam is one of several new email-based campaigns uncovered by researchers recently to target desktop users working on commonly used word-processing and collaboration apps like Microsoft Office, Google Docs, and Adobe Creative Cloud. Attackers typically use email to deliver malicious files or links that steal user information.
In November 2021, reports showed that scammers were using a legitimate Google Drive collaboration feature to trick users into clicking on malicious links in emails or push notifications that invited people to share a Google document. The links directed users to websites that stole their credentials.
A wave of phishing attacks during December 2021 targeted mainly Outlook users, leveraging the “Comments” feature of Google Docs to send malicious links that also lifted credentials from victims. During the month of January 2022, the Avanan team reported on another scam that researchers had already observed in December 2021 which threat actors were found creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate but instead deliver malware to Office 365 and Gmail users.
To avoid allowing email scams to slip past corporate users, Fuchs recommended some typical precautions to security administrators that should be implemented consistently. One is to install email protection that downloads all files into a sandbox and inspects them for malicious content. Another is to take extra security steps – such as dynamically analyzing emails for indicators of compromise (IoCs) – to ensure the safety of messages coming into the corporate network, he said. “This email failed an SPF check and there was an insignificant historical reputation with the sender,” Fuchs wrote of the phishing message observed by Avanan researchers. SPF, Sender Policy Framework, is an email authentication technique used to prevent spammers and other bad actors from sending messages spoofed to come from another domain name.
Cyber security personnel should encourage all end-users in their networks to contact their IT department if they see an unfamiliar file come over via email.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that has long collected and analyzed cyber indicators. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments