Malicious Email Attachment Downloads and Executes Malware On Mouse Hover Over

Researchers have discovered a new malware delivery technique which only requires the user to open a malicious PowerPoint Document and hover over a link.

Threat ID:: CC-1468
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Download, Email spam
Published:: 15 June 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Researchers have discovered a new malware delivery technique which only requires the user to open a malicious PowerPoint Document and hover over a link.

Threat details

The malware arrives as a spam email disguised as a purchase order or invoice with a malicious PowerPoint Open XML Slide Show (PPSX), or PowerPoint Show (PPS) file attached. These two file types differ from PowerPoint presentation files (PPT or PPTX), which can be edited. A PPS or PPSX file directly opens into presentation mode.

Once the file is downloaded and opened, it requires user interaction to work. This involves hovering over text or photo embedded with a malicious link, which triggers a mouseover action. From there, they need to enable the content to run when they see a security alert.

The mouseover technique relies heavily on social engineering. Microsoft disables the content of suspicious files by default; a feature part of Protected View in later versions of Office. That's why victims need to open the file and enable malware to run on their machine.

Once a victim opens the document the malware uses a built-in feature within Office to run external programs to deliver the payload. This different delivery mechanism abuses the hyperlink feature to launch a Powershell command as soon as the user moves their mouse cursor over a link

if the Protected View security feature is enabled (Default within Office 2010 and Office 2013) the link will be blocked behind a security dialogue box. Users should not enable the link.

This stage of the attack initiates the infection chain that delivers the malware such as Zusy.

Zusy is identified as spyware Trojan attached to spam emails with subject lines such as “Purchase Order #130527” and “Confirmation.”

Remediation advice

Ensure:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. Antivirus and other security products are kept up to date All operating systems, browsers, applications are fully patched with the latest security updates All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege. Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
Antivirus and other security products are kept up to date
All operating systems, browsers, applications are fully patched with the latest security updates
All day to day computer activities such as email and internet are performed using non-administrative accounts and that permissions are always assigned on the basis of least privilege.
Your organisation adopts a holistic all round approach to Cyber Security as advocated by the 10 Steps To Cyber Security.

Last edited: 17 February 2020 11:34 am