PowerPoint custom operations to trigger malicious Payload instead of macros
When analyzing recent phishing attacks, we found that attackers started to use PowerPoint custom operations to trigger malicious Payload instead of macros. Although the use of PowerPoint attachments is not new, this attack is still interesting because they can bypass the Office attachments to enable Macro Controllers.
1. Attackers can create a new PowerPoint file and insert malicious scripts or executable files. The inserted file is embedded into an OLE object.
2. Set the custom operation to perform the "previous" Operation and automatically trigger the "activity content" to execute the embedded OLE object.
3. Finally, save the document as a PowerPoint projection file. When the file is opened, it immediately enters the projection view.
When a user opens a demonstration document, the document enters the display view and starts to play the first slide. This will trigger custom operations to execute embedded malicious Payload. When the embedded content is executed, the user will receive a security warning asking whether to open/execute the file.
In the sample we found, the script was named Powerpoint. vbe to trick users into executing malicious Payload.
After analyzing the content of the demo document, we obviously found that attackers used a series of methods to hide the script. First, using an image that looks like a slide's head to cover the embedded object icon makes it easy for us to move this image apart for further detection.
By default, the inserted object is stored inppt/embeddings
Directory and name itoleObject1.bin
The number in the name increases with the number of embedded objects.
Using the psparser. py tool, we can check the object metadata in the embedded file and extract malicious Payload.
The script (Powerpoint. vbe) embedded in this sample ishxxp://secureemail[.]bz/updater.exe
Download and execute the file “updater.exe "(c098a36309881db55709a759df895803 ).
The following script comes from the Microsoft TechNet library and is often used to decode the VB Script: https://gallery.technet.microsoft.com/Encode-and-Decode-a-VB-a480d74c
Malicious demonstration document detection
Attackers want to use custom operations as the Payload carrier. The following two things need to be ensured:
1. the operation will be triggered when the slide starts playing.
2. the operation will execute the embedded Payload.
In addition, attackers often confuse the Payload name to induce users to click and execute. Our defender can also combine this feature to help identify malicious demonstration documents.
To enable automatic playback of a demo file after it is opened, attackers need to save the file as a PowerPoint file (ppsx). In this way, the [Content Types]. xml file is defined as follows:
application/vnd.openxmlformats-officedocument.presentationml.slideshow
Note:Attackers can rename the file to a traditional. pps extension to bypass the content type. This way, when the file is opened, the file directly enters the slide playback view, although the file is not a binary file type. However, renaming to a modern. ppsx extension causes an error in PowerPoint.
Attackers also need to embed content that can be executed when triggered, which is usually a script or executable file. All these files to be inserted will be embedded into the demo file as an OLE object by packager. dll.
By default, the embedded object is referenced by an oleObj node that is included in graphicFrame and marked by XML in the slide.Note: If attackers modify the output, the oleObj tag can also contain other objects, that is, embedded identifiers and embedded objects.
In this case, the embedded content is a script or executable program, and its progId is Package, indicating that the local service will not process the object content.
In the past, attackers often confuse the content inserted in traditional Office documents (Binary composite documents), while modern Office documents (OpenXML documents) are based on XML markup language, it can be easily analyzed by researchers. By contrast, the traditional format is a binary document consisting of several OLE streams, which is described in the MS-PPT official documentation
The official website states that there are about 650 pages. Fortunately, we don't need to read them all. We only need to know how OLE objects are referenced and stored.
The following types of records are obtained by analyzing samples in the official documents and used to reference or link OLE objects.
The RT_ExternalOleEmbed container and the atomic RT_ExternalOleEmbedAtom and RT_ExternalOleObjectAtom indicate that the sample contains the embedded content or link OLE object, which strongly indicates that the sample may be faulty, further analysis of malicious content is required.
Event
The following main indicators can be used to help identify possible infections, and defenders can also use Yara rules to help identify malicious documents.
Sample Hash Value
D7c6e591c0eb1e7ab23c036fd1c93003 2968fb5744433a7a8fabf65228f57801 f4abbd6f97f035cfadd43962ee5c0e20
Main Network indicators hxxp: // secureemail [.] bz/updater.exe unzip hxxp: // secureemail [.] bz/pending.exe 982a2161673245c3eaa80313238f4037
For existing PhishMe Triage customers, we use the following rules to check malicious documents:
PM_PPT_With_OLEObject
PM_PowerPoint_Show_Embedded_OLE
PM_PowerPoint_Single_Slide_Presentation
Summary
This is another example of how attackers can bypass security control using existing application features. Attackers use slide animations and custom operations instead of macros to trigger the embedded Payload. In addition, unlike the traditional macro usage, you do not need to perform operations to allow execution of the script language. Instead, you are asked to confirm that they want to run Payload. This provides attackers with more options to forge executable files or script names to ultimately fool users.