New Phishing Attack Abuses PowerPoint Files to Spread Malware

Threat actors have come up with yet another way to infiltrate target systems and spread malware. In a new campaign that is being tracked by security researchers, bad actors are using a little-known PowerPoint file format to spread malware and take over victims' systems.

Less-Known Filetype Used to Wrap Malware

The attacks are being tracked by a company that is part of security firm Check Point Software. In this new campaign, threat actors use a file format that belongs to the group of extensions Microsoft PowerPoint works with and opens, but one that is not used very often.

The attacks use .ppam files - an add-in file format for PowerPoint presentations. The file type includes additional commands and macros not found in other PowerPoint file types.

Researchers have been tracking the PowerPoint file attacks since January 2022. The bad actors are using the .ppam files to wrap executables used to take over systems. The files are being spread using phishing emails with text related to a fake purchase order and a request for the victim to respond with an invoice.

The malicious executable file wrapped inside the .ppam file has the ability to write Windows registry values and achieve persistence while monitoring the victim system's memory. The little-known file type means that the payload contained inside the .ppam file can dodge security measures on the target system.

.PPAM Files Could Deliver Ransomware

Security researchers outlined the danger that a less frequently used file type poses. By wrapping the malicious payload inside a file that is not usually scanned by automated security measures, bad actors can deliver any executable payload they desire, including ransomware. In fact, the researchers tracking the current campaign mentioned that a .ppam file was used in a ransomware attack back in October 2021.

Outside of improving sandboxing measures and filtering all downloads through a sandbox before opening them on the target system, researchers recommend that company staff always contacts IT specialists when they encounter an unfamiliar file extension for the first time.