279. The Confucius Group Uses Malicious PowerPoint Show Files

Hello everyone!

I love when adversaries leverage uncommon file types in their spear phishing campaigns. And I spotted another interesting example today, this time its a PPSX file.

According to the reportThe Confucius group used such files phishing email campaign targeted users in Pakistan.

A PPSX file is a PowerPoint Show file created by Microsoft PowerPoint (or compatible programs like LibreOffice Impress or Google Slides). It’s a special type of PowerPoint file that opens directly in slideshow mode rather than in edit mode.

It's not very common, so it may be a good idea to hunt for any suspicious files with this extension:

event_type: "processcreatewin"

AND

proc_file_path: "powerpnt.exe"

AND

cmdline: *ppsx

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access