A PowerPoint add-on is being used to spread malicious files, according to the findings of security company Avanan.
Avanan’s Jeremy Fuchs said the .ppam file — which has bonus commands and custom macros — is being used by hackers “to wrap executable files.”
The company began seeing the attack vector in January, noting that the .ppam files were used to wrap executable files in a way that allows hackers to “take over the end-user’s computer.” Most of the attacks are coming through email.
“In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten,” Fuchs said.
“In this email attack, hackers found a way to leverage a little-known file to wrap executable files. Using .ppam files, a PowerPoint add-on file, hackers can wrap, and thus hide, malicious files. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer’s memory.”