Security researchers have warned that cybercriminals have recently started sending spam campaigns with PowerPoint files which contain mouseover link that installs a variant of the Zusy malware onto a computer. The downloader installs a banking Trojan into your PC the moment your mouse pointer hovers over it.
People who think they are safe from malware since they have never clicked any suspicious-looking links can be proved wrong easily with this ‘Mouseover’ technique which relies on users hovering their mouse over hyperlinked text and images in Microsoft PowerPoint files to drop Trojan.
According to researchers, Mouseover technique, used by a Trojan downloader was also found in a spam campaign hitting EMEA businesses in the manufacturing, education, pyrotechnics, logistics, and device fabrication industries. The emails’ subjects were mostly finance-related, such as “Invoice”, “Order #,” “Purchase Order #130527” and “Confirmation” with an attached PowerPoint presentation which is named like “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx.”
The downloader delivers a version of the OTLARD banking Trojan, also known as GootKit. This is the first occurrence of malware using the ‘hover’ method to initiate a download.
GootKit first appeared in 2012 and grew into an information-stealing Trojan with remote access, persistence, network traffic monitoring, and browser manipulation capabilities. It has traditionally been used to steal banking credentials from European financial businesses.
Whiwle GootKit is known malware, businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document.
Once the victim opens the PowerPoint file, a hyperlinked message is displayed in the center reading “Loading… Please wait” that has an embedded malicious PowerShell script. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload. If you’re running a newer version of Microsoft Office, though, you’ll still need to approve the malware’s download before it infects your PC because these versions have a protected view which shows a prompt warning about a “potential security concern” when the script starts running. Just click Disable, and you’ll be fine. However, older versions of the suite don’t have that extra layer of security. The downloader can install a Trojan virus into your system to steal your credentials and bank account information the moment your mouse pointer hovers over the link.
However, the campaign seems to be over on May 29 after sending spam mails on May 25 with 1,444 detections. Still, it’s better to steer clear of similar emails as it can be possible that the campaign was just a test run for something bigger and worse.