Malicious PowerPoint presentations are spreading a malware that executes when the user “mouses over” a link—no clicking or macros required.
“This document was interesting as it did not rely on macros, Javascript or VBA for the execution method,” explained Ruben Dodge, in his Dodge This Security blog, in an analysis. “Which means this document does not conform to the normal exploitation methods.”
When the user opens the document, he or she will be presented with text saying, “Loading…Please wait,” which is displayed as a blue hyperlink. When the user mouses over the text (which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. When that PowerShell is executed it reaches out to a malicious domain, downloading various executables and eventually establishing remote desktop protocol (RDP) for remote access to the system.
“I sandboxed the payload for eight hours but no threat actors connected to the system,” said Dodge, who describes himself as a cyber-intelligence analyst at a Fortune 50. “So I was unable to see what other purpose the backdoor might have if the threat actors had taken specific interest in the system.”
Caleb Fenton and Itai Liba, senior security researchers at SentinelOne Labs, said that the propagation technique is being used to distribute a new variant of a malware called “Zusy,” which is a spyware Trojan. In this campaign, the PowerPoint file is attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”.