AgentTesla Being Distributed via Sophisticated PowerPoint Files
When the PowerPoint file is run, a security notice appears, where the user selects whether or not to enable macros just like in the previous cases.
Selecting Enable macro runs the malicious macro. When the malicious macro is executed, an error notice appears disguised as a PowerPoint error, making it difficult for users to notice malicious behaviors. The malicious macro is executed automatically by the Auto_Open() function, and the data used for the malicious behavior is obfuscated.
Unobfuscating it shows the strings below, and the malicious command is executed via the shell function. The malicious command executed by the malicious macro and just like in the previous cases, it approaches a malicious URL via mshta process to run additional scripts.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.