Malicious PowerPoint documents are spreading malware that executes when the user simply hovers over a hyperlink. This new variant of the Zusy malware is particularly dangerous, as it does not require the user to enable macros or actually click on a link; a departure from normal exploitation methods.
When the user hovers or ‘mouses’ over the text, the malicious presentation executes malware using PowerShell commands embedded inside the PowerPoint file. It reaches out to a malicious domain which downloads various executables and eventually establishes remote desktop protocol (RDP), allowing for remote access to the system.
Zusy, or Tinba (Tiny Banker), is a banking Trojan which was discovered in 2012 and targets financial websites. It can sniff network traffic and perform Man-in-The Browser attacks to inject additional forms into legitimate banking websites. The aim of these it to trick victims into sharing personal financial data, including credit card numbers and authentication tokens.
With the new social engineering dimension of not needing to enable macros, how can users protect themselves from this malware? Fortunately, supported versions of Microsoft Office have a Protected View security feature that comes enabled by default, and which prevents PowerShell command from executing an external program automatically. Providing this feature has not been turned off - not recommended by Microsoft – it displays a severe warning and prompts the user to enable or disable the content.