EXECUTIVE SUMMARY:

Cyber attackers are deploying emails with .ppam file attachments that can hide malware capable of rewriting Windows registry settings on targeted devices.

How it works

Attackers work with an under-the-radar PowerPoint file to obscure malicious executables that rewrite Windows registry settings to hijack personal computers.

This campaign represents one of several stealthy ways that threat actors now target desktop users via trusted applications. Emails sent manage to evade security detections and appear legitimate.

Research findings

Emerging research from Avanan, a Check Point company, highlights how a “little-known add-on” in PowerPoint –the .ppam file- can be coopted to cloak malware. Jeremy Fuchs, researcher and analyst with Avanan, noted in a published report that the file includes bonus commands and custom macros, among other functions.

Starting in January, researchers reported attackers delivering manipulated emails that include malicious .ppam file attachments.

Email as attack vector

One email included in the campaign appears to send the recipient a purchase order. The corresponding .ppam file is designed to appear legitimate, but includes a malicious executable.

The payload proceeded with a series of functions on the targeted machine that were not expressly permitted by the user, including the installation of new programs that create and open new processes, change file attributes and call imported functions.

“By combining the potential urgency of a purchase order email, along with a dangerous file, this attack backs a one-two punch that can devastate an end-user and a company,” wrote Fuchs.

The campaign enables hackers to circumvent a device’s existing security. It does so with a file that’s rarely used, and thus will not activate email scanner alerts.

“Plus, it shows the potential dangers of this file, as it can be used to wrap any sort of malicious file, including ransomware,” says Fuchs.

Indeed, reports from October show that attackers used .ppam files to wrap ransomware.

Targeted desktop users

This scam represents one of several email-based campaigns recently uncovered by researchers. Many campaigns target desktop users operating on commonly used word processing and collaboration apps, like Microsoft Office, Google Docs and Adobe Creative Cloud. Attackers commonly use email to send malicious attachments or links that steal user data.

In November, researchers reported that scammers were using malicious links to coerce people into sharing a Google document. The links directed users to credential-stealing websites.

In December, a wave of phishing attacks that primarily targeted Outlook users leveraged the ‘comments’ feature within Google Docs to distribute malicious links that pinched user credentials.

Last month, Avanan reported on another scam concerning bogus accounts within the Adobe Cloud suite. Attackers had used the Adobe tools to send images and PDFs that appeared legitimate, but that actually delivered malware to Office 365 and Gmail users.

Mitigations and Prevention

To prevent email scams from getting past employees, Jeremy Fuchs recommends that administrators take traditional email security precautions. Admins should install email protection that downloads files into a sandbox to inspect them for malicious components. Taking extra security steps, such as dynamically analyzing emails for indicators of compromise (IoCs), is also advised. This ensures the safety of emails filtering through corporate networks.

“This email failed an SPF check and there was an insignificant historical reputation with the sender,” Fuchs wrote of the phishing message that Avanan researchers observed. SPF, Sender Policy Framework, represents an email authentication tactic designed to prevent hackers from sending spoofed messages through an alternate domain name.

Corporate groups may also wish to continuously encourage employees to contact the IT department if they receive unfamiliar files via email.

Would you like to learn more about email security best practices? See CyberTalk.org’s past coverage.