Cybercriminals have been using new techniques which involves PowerPoint files and mouse over events, to get users to execute arbitrary code on their systems and download malware.
It’s not uncommon to deliver malware using specially crafted Office files, particularly Word documents. These attacks depend on social engineering to trick the targeted user into enabling VBA macros embedded in the document. But now, a new attack has been discovered, which doesn’t require users to enable the macros.
Those malicious PowerPoint files are distributing a malware called ‘Zusy,’ a banking Trojan. These files, named “order.ppsx” or “invoice.ppsx,” have been distributed via spam emails with titles such as “Purchase Order #130527” and “Confirmation.”
The conducted analysis by Ruben Daniel Dodge shows that when the PowerPoint presentation is opened, it displays the text “Loading…Please wait” as a hyperlink.
The PowerShell code is executed even if the user hovers the mouse over the link, even without clicking it. The Protected View security feature which is enabled by default in most supported versions of Office prompts the user to enable or disable the content.
If the victim enables the content, the code is executed and a domain named “cccn.nl” is contacted. A file is downloaded which results into malware being downloaded and deployed.
However it has been noticed that the attack does not work if the presentation is opened using the Powerpoint viewer and the recent versions of Office warns before the code gets executed.
“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros,” SentinelOne Labs said in a blog post.