PowerPoint files attach emails with such titles and when opened, it displays the text "Loading . Please Wait" in the form of a hyperlink. When a user hovers over it, it automatically runs the PowerShell script, but the Protected View security feature is enabled by default in most Office versions, including Office 2013 and 2010, which will display a warning. If the user ignores this warning and allows the text to be opened, the malicious code will connect to the cccn.nl domain, thereby downloading the executable file and the new variant of the banking trojan named Zusy will invade.
Security researcher Ruben Daniel Dodge also analyzed this new attack and confirmed that it does not depend on macros, Javascript or VBA to execute. "It is done through the definition of a mouse drag. This operation is set to execute the program in PowerPoint when the user moves the mouse over the text." RlD2 "is defined as a hyperlink and an object and a PowerShell command "Dodge said.
The company also said the attack will not happen if the file is opened with PowerPoint Viewer because it refuses to execute the program. However, this technique can still be effective in some cases.