Malware invades through PowerPoint files without a macro

You must have heard the same warnings as many times. A macro is a series of commands that can be used to automate a repeating task. Hackers often use this tool to hack computers through Office files, especially Word. But recently, people have discovered a form of attack that doesn't even require users to turn on macros, instead, the malware will execute on the system with the PowerShell command embedded in the PowerPoint file (PPT).

The PowerShell code inside the document file will be activated as soon as the victim moves or mouse over the link, download the payload on the computer without clicking on it . Researchers at Sentinelone security company discovered that the hacker group using this malicious PowerPoint file spread Zusy, a trojan known as Tiny Banker.

Discovered in 2012, Zusy is a bank trojan, targeting financial websites and being able to take network traffic and perform Man-in-Browser attacks to add forms to web pages. legal, require victims to share important data such as card numbers, TAN, authentication codes .

" A variant of malware called Zusy has been found as a PowerPoint file attached to spam emails with titles like" Purchase Order # 130527 "(Orders) and" Confirmation ". users must turn on macros to execute , "researchers at SentinelOne Labs said.

Malware invades through PowerPoint files without a macro Picture 1
Warning of Office before opening the file

PowerPoint files attach emails with such titles and when opened, it displays the text "Loading . Please Wait" in the form of a hyperlink. When a user hovers over it, it automatically runs the PowerShell script, but the Protected View security feature is enabled by default in most Office versions, including Office 2013 and 2010, which will display a warning. If the user ignores this warning and allows the text to be opened, the malicious code will connect to the cccn.nl domain, thereby downloading the executable file and the new variant of the banking trojan named Zusy will invade.

Security researcher Ruben Daniel Dodge also analyzed this new attack and confirmed that it does not depend on macros, Javascript or VBA to execute. "It is done through the definition of a mouse drag. This operation is set to execute the program in PowerPoint when the user moves the mouse over the text." RlD2 "is defined as a hyperlink and an object and a PowerShell command "Dodge said.

The company also said the attack will not happen if the file is opened with PowerPoint Viewer because it refuses to execute the program. However, this technique can still be effective in some cases.