Avanan Claims That a PowerPoint Add-on Was Being Used to Distribute Malicious Files

Short News:- 

A PowerPoint add-on is being used to spread malicious files. Avanan's Jeremy Fuchs says hackers are using the.ppam file to "wrap executable files". This allows them to overwrite the registry settings in Windows allowing the attacker to take control of the computer. The majority of attacks originate via email.

Detailed News:- 

According to Avanan's findings, a PowerPoint add-on is being used to spread malicious files.

According to Avanan's Jeremy Fuchs, hackers are using the.ppam file — which includes bonus commands and custom macros — to "wrap executable files."

The company first noticed the attack vector in January, noting that.ppam files were being used to wrap executable files in a manner that enables hackers to "take over the end user's computer." The majority of attacks originate via email.

"The hackers are displaying a generic purchase order email in this attack, a fairly standard phishing message. The email includes a.ppam file as an attachment. A.ppam file is a PowerPoint add-on that enhances and expands certain capabilities in PowerPoint. However, this file is actually a wrapper for a malicious process that will overwrite the registry settings "As Fuchs stated.

"By wrapping malicious files in.ppam files, hackers can conceal them. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control of the computer and maintain active status by persisting in the computer's memory."

Due to the infrequent use of the.ppam file, the hackers discovered a way around security tools. Fuchs added that the attack technique could be used to spread ransomware, citing an October incident in which a ransomware group did use the file type in an attack.

According to Aaron Turner, vice president of SaaS posture at Vectra, the ubiquity of Microsoft's collaboration suite makes it a favorite target for attackers, and the latest PowerPoint attack is the latest in a long line of devious Microsoft Office documents delivering exploits over the last two decades.

"Organizations that use Exchange Online for email should conduct a review of their anti-malware policies configured in the Microsoft 365 Defender portal. Alternatively, if a high risk of attack requires action outside of the Defender policies, specific attachment file types can be blocked in an Exchange Online mail flow policy using a dedicated.ppam blocking policy "Turner remarked.

"When we conduct a posture assessment scan against Exchange Online, we compare the configured policy to our recommendation of blocking over 100 different file types. We'll be adding as a result of this research. ppam to our list of file extensions to block due to its relative obscurity and low usage."