Security experts at Trend Micro have discovered a new malware technique that allows cybercriminals to ifect your computer with a banking Trojan even if you don’t click any links or download attachments in phishing emails. All it takes to trigger the download is to hover your mouse pointer over a hyperlink or image in a carrier Microsoft PowerPoint file.
The malware deivers as a spam email disguised as a purchase invoice or order with a malicious PowerPoint Open XML Slide Show (PPSX), or PowerPoint Show (PPS) file attached. These two file types differ from PowerPoint presentation files (PPT or PPTX), which can be edited. A PPS or PPSX file directly opens into presentation mode.
Once the PowerPoint file is downloaded and opened, it requires further user interaction. The file has a single hyperlink in the center saying “Loading… please wait” that has an embedded malicious PowerShell script. When you hover your mouse pointer over the hyperlink, it executes the malicious script. If you’re running a newer version of Microsoft Office, though, you’ll still need to approve the malware’s download before it infects your PC.
The malware downloader delivers a version of the OTLARD banking Trojan, also known as GootKit. This Trojan is known to steal banking information and credirt cards details, and is capable of remote access, network traffic monitoring, and browser manipulation.
“While GootKit is known malware, businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document,” said Mark Nunnikhoven, Trend Micro’s VP of cloud security.
“This technique only targets PowerPoint files. I would expect it to expand to other Microsoft Office documents shortly since they support similar functionality,” he added.
To avoid this malware infection, Trend Micro suggests using PowerPoint’s Protected View. When Protected View is enabled, PowerPoint will issue a warning about the malicious code.
Source: TrendMicro Blog