Home Malware Malware delivered via PowerPoint Files

Malware delivered via PowerPoint Files


Cybercriminals have been using new techniques which involves PowerPoint files and mouse over events, to get users to execute arbitrary code on their systems and download malware.

It’s not uncommon to deliver malware using specially crafted Office files, particularly Word documents. These attacks depend on social engineering to trick the targeted user into enabling VBA macros embedded in the document. But now, a new attack has been discovered, which doesn’t require users to enable the macros.

Researchers at Security firm, SentinelOne have recently discovered a group of hackers who are using PowerShell commands embedded inside a PowerPoint (PPT) file to execute malware on a targeted system. this does not require Macros, JavaScript or VBA macros.

Those malicious PowerPoint files are distributing a malware called ‘Zusy,’ a banking Trojan. These files, named “order.ppsx” or “invoice.ppsx,” have been distributed via spam emails with titles such as “Purchase Order #130527” and “Confirmation.”

The conducted analysis by Ruben Daniel Dodge shows that when the PowerPoint presentation is opened, it displays the text “Loading…Please wait” as a hyperlink.

Malware delivered by PPT file

The PowerShell code is executed even if the user hovers the mouse over the link, even without clicking it. The Protected View security feature which is enabled by default in most supported versions of Office prompts the user to enable or disable the content.

Malware delivered by PPT file

If the victim enables the content, the code is executed and a domain named “cccn.nl” is contacted. A file is downloaded which results into malware being downloaded and deployed.

However it has been noticed that the attack does not work if the presentation is opened using the Powerpoint viewer and the recent versions of Office warns before the code gets executed.

“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros,” SentinelOne Labs said in a blog post.