Banking Trojan- Lose Your Information With a Hover Over PowerPoint Hyperlink

Spammers are looking for the new ways to make the sufferers to install the malware that automatically gets download when the users hover over a hyperlink in a PowerPoint slide show.

The new infected way which makes the e-mail recipients to download and installs the malware by running a malicious macro over the network seems out to be a twist to the common advice re-emerged in 2015 and says that “users should not increase the Office macro malware threat resulting by clicking on links from the doubtful sources”.

The new twist will not include macros on the Office malware but will install the malware by hovering over a hyperlink in a PowerPoint slide show has been brought by the Bleepingcomputer. The twist explains that when the user hovers over hyperlinked text in the PowerPoint file after opening it, this result in downloading of the malware accessed by running a PowerShell command linked to a malicious domain.

The malware appears in form of a spam e-mail in front of the users. The particular e-mail appears with the name of the attachment file and subject headers showing it either as an invoice or as a purchase order. A point to be noted about these attached file formats is that they are the open- source version of the Microsoft PowerPoint slide show (PPSX) that can’t be edited rather only viewed, making it different from the normal PPT or PPTX files.

Hovering over the hyperlinked text “Loading… Please wait” displayed in the Microsoft PowerPoint slide show (PPSX) will download the malicious software automatically if the office protected view is not enabled. This protected view was made enabled as a default setting in Office 2010, where the Office display a “security warning” message which will then blocks the malware download.

The PowerPoint file downloads the trojan named as Gootkit or the Otlard, which were known for stealing credentials and bank account information by compromising websites with malicious iframe code and called as Zusy by the SentinelOne (a venture-backed cyber-security located in Palo Alto, California).

At the end of the May, Trend Micro, a Japanese multinational security software company as well as the global leader in cyber security solutions for businesses, networks, etc. has detected a spam operation with the malicious PowerPoint files focusing at organizations running in the Poland, Netherlands and etc. Previously, the macro malware documents are used by the same gang of spammers for delivering different payloads.

Though the present ongoing campaign was not so extensive yet may results as a “dry run for future campaigns”, as estimated by the researchers of the Trend Micro.

Trend Micro has written “No doubt that the features such as OLEs, macros, and mouse hovers have their own good and genuine uses but unfortunately they are taken over by the wrong hands. To infect the victim, firstly a socially engineered e-mail and a mouse hover link is made to be appear in front of you and then the second one disabled, creating possibilities to click resulting in downloading of the malware.

Maria Silvia is the writer of this article. She is a keen writer and love to write on technical topics. She does a proper research on every topic before bringing it in front of the user. Her dedication, experience and flair in writing style are helping our website in gaining popularity amongst the clients. She has also written on many topics such as, McAfee SupportNorton Support etc.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s