122. APT36 Abuses PowerPoint PPAM Files to Deliver Crimson RAT
Hello everyone!
We already talked about how adversaries abuse PowerPoint to deliver malware a few times. It's to discuss it again!
Seqrite has published a report on APT36 (we track this activity cluster as Translucent Werewolf) activity. According to this research, the threat actors leveraged PowerPoint add-on files (PPAM) to deliver Crimson RAT.
My observations suggest that such files are not very common in modern environments, so we can hunt for PPAM opening events:
event_type: "processcreatewin"
AND
proc_file_name: "powerpnt.exe"
AND
cmdline: "ppam"
See you tomorrow!
Comments
Post a Comment