New Trojan executes when hovered over a Powerpoint link
The file in question is a Powerpoint presentation file that potential victims receive as a file attachment in emails. Subject line usually contains the following lines: “RE:Purchase orders #69812” or “Fwd:Confirmation”. The name of the file is order&prsn.ppsx”, “order.ppsx”, or “invoice.ppsx”. Infected file may also be packed in the .zip file.
This method was used in spam campaigns in order to install a bank-fraud backdoor also knows as Gootkit, Zusy or Otlard. A PowerShell tool is invoked once the target hovers over the embedded hyperlink in the attached Powerpoint file and installs the malware. Users that are using the newer versions of Microsoft Office (2010 and above) should receive a warning because of the Protected View feature (picture below). Protected View is a read-only mode where most editing functions are disabled.
Spam campaigns with malicious contents can spread rapidly, but for now, the success rate for this hover technique is still unknown.If only half percent of internet users would activate this malware, it would pose a huge security threat to many organizations and, individual users, especially if those users are using the older versions of Microsoft Office.
In order to avoid infection with this malware Microsoft suggests using the Protected View, that should be enabled by default, especially for the files downloaded from the internet.
|...we need you to hear this: More people are reading our website than ever but advertising revenues across the media are falling fast.|
|We want to keep our content as open as we can. We are independent, and our quality work takes a lot of time, money and hard work to produce.|
|You can support us with Multipass which enables you to pay for a bundle of websites: you can finance the work of journalists and content creators you love.|