But a new social engineering attack has been discovered in the wild, which doesn’t require users to enable macros; instead it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) file.
Researchers at Security firm SentinelOne have discovered that a group of hackers is using malicious PowerPoint files to distribute ‘Zusy,’ a banking Trojan, also known as ‘Tinba’ (Tiny Banker).
Discovered in 2012, Zusy is a banking trojan that targets financial websites and has the ability to sniff network traffic and perform Man-in-The-Browser attacks in order to inject additional forms into legit banking sites, asking victims to share more crucial data such as credit card numbers, TANs, and authentication tokens.
“A new variant of a malware called ‘Zusy’ has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like ‘Purchase Order #130527’ and ‘Confirmation.’ It’s interesting because it doesn’t require the user to enable macros to execute,” researchers at SentinelOne Labs say in a blog post.
The PowerPoint files have been distributed through spam emails with subjects like “Purchase Order” and “Confirmation,” which when opened, displays the text “Loading…Please Wait” as a hyperlink.
When a user hovers the mouse over the link it automatically tries to trigger the PowerShell code, but the Protected View security feature that comes enabled by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and prompts them to enable or disable the content.
“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros,” SentinelOne Labs says.
“Also, some configurations may possibly be more permissive in executing external programs than they are with macros.”
“This is accomplished by an element definition for a hover action.
This hover action is setup to execute a program in PowerPoint once the user mouses over the text.
In the resources definition of slide1 ‘rID2’ is defined as a hyperlink where the target is a PowerShell command,” Dodge said.
The security firm also said that the attack doesn’t work if the malicious file is opened in PowerPoint Viewer, which refuses to execute the program. But the technique could still be efficient in some cases.