A spam campaign is infecting users with malware via a malicious PowerPoint file with a hyperlink. If the user hovers over the link, PowerPoint proceeds to download a script along with the malware.
Just last month, security researchers discovered subtitle files with malicious code that could potentially give attackers complete control over any device that loaded them – be it a PC, a Smart TV, or a phone. The exploit was quickly patched by Kodi and other popular media players.
Ingenuity, however, has no bounds; this week, a new variant of the “Zusy” (also known Gootkit or OTLARD) malware was discovered within spam emails spreading across Europe, the Middle East, and Africa.
What’s interesting is that the malware does not rely on traditional ways of infecting a system via macros or other scripts. Instead, all it takes is the hover of a mouse cursor over a hyperlink inside a malicious PowerPoint file.
As described by SentinelOne, the malicious PowerPoint file is where most of the magic happens. Once opened, the file displays but one slide with the text “Loading… Please Wait” that’s hyperlinked. If the user hovers their mouse cursor over this link, PowerPoint executes Windows PowerShell with a script that proceeds to download the actual malware.
Thankfully, PowerPoint does not execute this program without user consent. Sadly, all it takes to skip this security notice (seen above) is a little bit of impatience on the user’s part. It also does not appear if Protected View is disabled, a feature that was added with Office 2010.
Office 365 users can also be targeted, but the malicious PowerPoint file does not work if it is opened via PowerPoint Online, as the web version does not have the functionality to execute code on a user’s machine. This trick doesn’t work with PowerPoint Viewer either, as it also lacks the feature.
As noted by Dodge This Security, the malware appears to set up a backdoor to establish an RDP connection to the infected computer, giving attackers complete access to the system:
Since the malicious PowerPoint file is distributed via a spam campaign, it could potentially reach a large number of Office users across the world. These emails appear to contain a pattern in their subject line as well, by using transactional phrases like “Purchase Order” or “Confirmation” followed by a serial number. Trend Micro notes that this could be the perpetrators attempting to track « the spam messages that they send. »
Source and Images: Trend Micro, Dodge This Security, SentinelOne via ArsTechnica