Infecting Via PowerPoint
Master X, is a new hacker who’s spreading his malware through PowerPoint files! His campaign begins with sending an email to hosts, mostly as an important business response to act on. The email, as depicted by AppRiver consisted of two PowerPoint files as Blank slip.pss and INVOO13433361.pss, and few convincing sentences compelling the victim to click on attachments. Clicking on either of the files enables a visual basic script to run, which uses mshta.exe, a Microsoft HTML executable that reaches Bitly link shortener. All these are just to avoid being detected by general browser defences. Further, it uses a command-line task to kill actively running Excel and Word applications. Then, a scheduled task is created for mshta.exe to communicate with Pastebin every 60 minutes. Pastebin is just a simple plain text sharing site from where mshta.exe gets an encoded script code which further retrieves a URL that decided what type of malware (Lokibot or Azorult) the compromised victim should receive.
Referencing To Lyrics
The code that’s received from Pastebin is then translated to a Powershell script that has reference to singer Drake’s song In My Feelings, particularly, Keke (Kiki) Do You Love Me. Further, the obfuscation of DownloadString inside the Powershell code is just another layer of going stealthy in his campaign. At last, the Powershell script communicates with Paste.ee, another plain text sharing site, to download the malicious file Calc.exe infecting the system. So far, it’s yet to estimate how successful this malware is. But whatever, it’s both hidings greatly and humourous.
