Zusy PowerPoint Malware Installed Simply by Hovering over Hyperlink

Malicious PowerPoint documents are spreading malware that executes when the user simply hovers over a hyperlink. This new variant of the Zusy malware is particularly dangerous, as it does not require the user to enable macros or actually click on a link; a departure from normal exploitation methods.

The PowerPoint files are attached to spam emails with generic titles such as ‘Purchase Order #203150’ or ‘Fwd: Confirmation’, and are attracting attention as they do not rely on macros, Javascript or VBA in order to execute. Instead, when a user opens the document, text that states: “Loading…Please wait” is displayed as a blue hyperlink.

When the user hovers or ‘mouses’ over the text, the malicious presentation executes malware using PowerShell commands embedded inside the PowerPoint file. It reaches out to a malicious domain which downloads various executables and eventually establishes remote desktop protocol (RDP), allowing for remote access to the system.

Zusy, or Tinba (Tiny Banker), is a banking Trojan which was discovered in 2012 and targets financial websites. It can sniff network traffic and perform Man-in-The Browser attacks to inject additional forms into legitimate banking websites. The aim of these it to trick victims into sharing personal financial data, including credit card numbers and authentication tokens.

With the new social engineering dimension of not needing to enable macros, how can users protect themselves from this malware? Fortunately, supported versions of Microsoft Office have a Protected View security feature that comes enabled by default, and which prevents PowerShell command from executing an external program automatically. Providing this feature has not been turned off - not recommended by Microsoft – it displays a severe warning and prompts the user to enable or disable the content.


To ensure this malware is identified, CYBONET’s PineApp Mail Secure can also help by blocking 99.7% of spam and viruses and protecting your email traffic; both inbound and outbound. PineApp Mail Secure neutralizes advanced persistent threats and guards against zero-hour viruses, malware and ransomware with a multi-layer anti-spam and anti-virus system, enforced user defined policy controls and easy-to-deploy solution modules for added functionality. To learn more about how PineApp Mail Secure can protect your organization from malware in all its forms, click here, or contact info@cybonet.com