“Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents.”
You might have heard of above-mentioned security warning multiple times on the Internet as hackers usually leverage this decade old macros-based hacking technique to hack computers through specially crafted Microsoft Office files, particularly Word, attached to spam emails.
But a new social engineering attack has been discovered in the wild, which doesn’t require users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file.
Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link (as shown), which downloads an additional payload on the compromised machine — even without clicking it.
Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoint files to distribute ‘Zusy,’ a banking Trojan, also known as ‘Tinba’ (Tiny Banker).
Discovered in 2012, Zusy is a banking trojan that targets financial websites and has the ability to sniff network traffic and perform Man-in-The-Browser attacks in order to inject additional forms into legit banking sites, asking victims to share more crucial data such as credit card numbers, TANs, and authentication tokens.
“A new variant of a malware called ‘Zusy’ has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like ‘Purchase Order #130527’ and ‘Confirmation.’ It’s interesting because it doesn’t require the user to enable macros to execute,” researchers at SentinelOne Labs say in a blog post.
The PowerPoint files have been distributed through spam emails with subjects like “Purchase Order” and “Confirmation,” which when opened, displays the text “Loading…Please Wait” as a hyperlink.
When a user hovers the mouse over the link it automatically tries to trigger the PowerShell code, but the Protected View security feature that comes enabled by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and prompts them to enable or disable the content.
If the user neglects this warning and allows the content to be viewed, the malicious program will connect to the “cccn.nl” domain name, from where it downloads and executes a file, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy.
“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros,” SentinelOne Labs says. “Also, some configurations may possibly be more permissive in executing external programs than they are with macros.”
“This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text. In the resources definition of slide1 ‘rID2’ is defined as a hyperlink where the target is a PowerShell command,” Dodge said.
The security firm also said that the attack doesn’t work if the malicious file is opened in PowerPoint Viewer, which refuses to execute the program. But the technique could still be efficient in some cases.