Security News > 2022 > January > Malicious PowerPoint files used to push remote access trojans
Since December 2021, a growing trend in phishing campaigns has emerged that uses malicious PowerPoint documents to distribute various types of malware, including remote access and information-stealing trojans.
According to a report by Netskope's Threat Labs shared with Bleeping Computer before publication, the actors are using PowerPoint files combined with legitimate cloud services that host the malware payloads.
The malicious PowerPoint phishing attachment contains obfuscated macro executed via a combination of PowerShell and MSHTA, both built-in Windows tools.
The cryptocurrency stealer is the third payload of this campaign, which checks the clipboard data with a regex that matches cryptocurrency wallet patterns.
Netskope has published the complete list of IoCs for this campaign, including all wallets used by the actors on this GitHub page.
In December 2021, Fortinet reported about a similar DHL-themed campaign that also used PowerPoint documents to drop Agent Tesla.