Powerpoint Presentation Used As Phishing Attack

Hi guys,

Recently a Phishing attack which uses PowerPoint Custom Actions instead of macros to execute a malicious payload has been discovered. Using PowerPoint attachments in phishing attacks is not new, but these attacks in particular can bypass controls that assert on macro enabled Office attachments.

This is how it happens –  An attacker creates a new PowerPoint presentation and inserts a malicious script/executable. The inserted file is embedded as an OLE object. Then a Custom Action is created set to trigger ‘With Previous’ with the actionfigur ‘Activate Contents’ to execute the embedded OLE object. The presentation is saved as a PowerPoint Show file, so that once opened it immediately opens in slide show view.

The presentation opens in “show mode” displaying the first slide to the user. The custom action is then triggered and executes the embedded payload thereafter sending a prompt to the user with a security warning asking if they want to open/execute the file.

You need to know this when detecting malicious presentations 

If an attacker wants the victim to execute a custom action then the action needs to be triggered when the slide deck starts and then the action needs to execute an embedded payload.

Additionally, attackers will often attempt to obfuscate the payload name to lure users into allowing execution. These  properties can help identify malicious presentation files.

For a presentation to run automatically as a slide show, the attacker needs to save the file as a PowerPoint Show (ppsx) document, which is identified within the [Content Types].xml file as: application/vnd.openxmlformats-officedocument.presentationml.slideshow

Inclusion of this content type can be bypassed by renaming the file to use the legacy .pps extension.  PowerPoint will open this document in Slide View even though it’s not in the binary format. If it’s renamed to the modern ppsx extension it will cause PowerPoint to throw an error…

The attacker will also have to embed content to execute once the action is triggered and is often a script or executable file. Either of these will be embedded within the presentation as an OLE object handled by the legacy Packager server (packager.dll).

By default the embedded object will be contained in a graphicFrame and referenced by an oleObj node in the slide XML markup. The oleObj tag could be contained within other objects if the attacker modifies the output and will contain the tag embed indicating and embedded object

In cases where the embedded content is a script or executable, the progId will be “Package” identifying that there is no native server to handle the content.

Attackers will often use legacy Office formats as a way to further obfuscate the content of a document. The modern Office file formats are a standardized XML markup that can be easily analyzed by incident responders and researchers. In contrast the legacy format is a binary file consisting of a number of OLE Streams.

See the full post with a sample of a malicious powerpoint presentation: http://phishme.com/powerpoint-and-custom-actions/

Source: Akati

Comments are closed.