Powerpoint Mouseover Malware Exploit

A new malware attack is doing the rounds. This time it’s a PowerPoint file that triggers a malware download into your system the moment you hover your mouse pointer over the file link. Known as the PowerPoint Mouse-OverExploit, the attack uses the PowerShell code in Microsoft and does not even need you to click on a file; simply hovering your mouse over it will call the necessary code to infect the system. All this happens in the backend with no interaction from the user.

An Effortlessly Easy Attack

Unlike other malware or attacks where you have to download or click suspicious files, this malware is dangerous because it makes use of social engineering. People are prone to trust Microsoft Office files, download them and enable macros without thinking twice. Billions of people use the Microsoft Office Suite for everyday tasks and so the sharing and passing of MS Office files are common and are not considered as containing malicious links. People may not trust online links, but a Microsoft Office file is inherently assumed to be safe and harmless. It may not even occur to the user that the file may be a malware and that they could infect their systems with a simple mouse-over (even if they choose not to click it).

How Does the Attack Take Place?

Keywords relevant to the industry are used to trigger an opening of the email. For example, words like, ‘invoice,’ ‘purchase order,’ etc were used in an email sent to the victim, asking them to open the PowerPoint document to view the invoice. The emails contained PPS or PPSX files instead of the usual PPT files. PPS or PPSX files are considered as the final product and they launch directly into presentation mode instead of downloading into the system.

When the file launches, a certain text or image provokes the user to hover their mouse over the area. Here is where the virus plays on social engineering – the file prompts a security pop-up from Microsoft Office, but people generally ignore the security prompt and click on the Enable option in order to access the file. The moment they enable macros, an embedded malicious PowerShell script (which is anotherwise legitimate file) is executed. The script calls for another downloader which then retrieves the payload from the main command center.

About the Malware

The malicious mouseover malware was traced back to be a variant the OTLARD/GootKitTrojan, famous for its bank credential thefts from European businesses. The Trojan emerged in 2012 and has since been linked with bank account information theft and masqueraded spam messages. A report published by TrendLabs claimed that manufacturing, education, logistics and pyrotechnics organizations in the U.K, Poland, Netherlands, and Sweden were largely affected by the attacks from this Trojan. The operators of the malware use these malicious strategies to deliver their payloads and the PowerPoint mouseoverexploit is one of their new tactics.

The attack quickly waned as Office’s security settings were efficient enough to detect compromised scripts. The spam attack started on May 25th with 1,444 detections and immediately dropping down on May 29th. Although the malware was contained, it definitely opened doors for more sophisticated attacks. It was a clear indicator that cyber criminals are experimenting new methods by using social engineering and psychological behaviors. This malware cannot be effective until use rinteraction plays a role! Experts consider this a dangerous tactic because socially engineered cyber crimes are difficult to control. Mouse hovers or macros have legitimate uses and people are alway senabling macros to work on MS office files.

Protection Against the Malware Is Easy

Fortunately for us, naïve users, security defenses against malware attacks are now pretty strong. This malware cannot execute its task if the MicrosoftProtected View is enabled. The moment a user runs the mouse over thelink, the Protected View prompts a security message giving the user achoice to enable macros. Once the user enables the macros, themalware downloads the code. Microsoft’s security settings automatically detect malicious links and disable content from such sources; however, it is directly dependent upon user interaction to prevent or allow the virus to execute. Security experts believe that these attacks can be prevented if users do not instantly enable macros without first verifying the subject, the sender ID or theemail. If Microsoft prompts a security message, the user needs to take it seriously and not automatically click on, ‘enable macros.’

While individualscan be cautious, businesses can enhance their web security by increasing web filtering. Experts believe if businesses could preventsystems from reaching malware host websites, then there is less of achance of being attacked.

Basic Security Measures

Vigilance and diligence are required to prevent such attacks from taking shape. Files from untrusted or unknown senders must not be opened without verifying it from them. Default security settings of operating systems and other popular software should not be disabled. Along with your regular antivirus, these security settings are an important layer of protection. The same practice must be carried out even if you receive an email from a trusted sender. The moment a security alert pops up, it should be taken seriously. Malware and ransomware attacks are successful because of human vulnerability to trust and lack of knowledge. These attacks thrive on social engineering and it takes human effort to prevent such attacks from carrying out serious harm. Ironically, it’s always our laid-back attitude to online security that gives strength and virility to these attacks.

Farah tries to keep up with the fast-paced tech world by writing about it. She covers latest tech news and writes informative pieces to help her readers make informed decisions about their tech preferences.
BeepWee