Crooks are using a new technique to deliver malware through PowerPoint documents.
Security researchers recently discovered several malicious PowerPoint files that exploit the mouseover events to execute PowerShell code. Threat actors are sending out spam messages with subject lines such as “Purchase Order #130527” and “Confirmation,” and attachments named “order.ppsx” or “invoice.ppsx.”
The expert Ruben Daniel Dodge published an interesting post on the technique, it presented an attack scenario in which when a PowerPoint presentation is opened, it displays the text “Loading…Please wait” as a hyperlink.
If the user hovers the mouse over the link, the execution of PowerShell code is triggered. Note that the code is triggered even if the users doesn’t click it.
“When the user opens the document they are presented with the text “Loading…Please wait” which is displayed as a blue hyperlink to the user. When the user mouses over the text(which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. ” wrote the researchers.
The Protected View security feature will inform the user of the risks and prompts them to enable allow the execution.
If the user enables the content, the PowerShell code is executed and a domain named “cccn.nl” is contacted to download and execute a file that is responsible for delivering the malware downloader.
The researcher also published the Indicators of Compromise for the attacks he has analyzed.
Unfortunately, the technique was already exploited in the wild by cyber criminals for their campaigns.
Malware researchers at SentinelOne have observed threat actors leveraging the technique to deliver a new variant of the banking Trojan Zusy, Tinba, and Tiny Banker.
“A new variant of a malware called “Zusy” has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like “Purchase Order #130527” and “Confirmation.” It’s interesting because it doesn’t require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware uses the external program feature instead.” states the report published by SentinelOne.
The researchers highlighted that the attacks doesn’t work if the user opens the PowerPoint document with PowerPoint Viewer.
“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros,” continues SentinelOne Labs.
[adrotate banner=”9″]
(Security Affairs – PowerPoint attack, malware)
[adrotate banner=”13″]