PowerShell commands used for downloading malware from PowerPoint

by Gabriel E. Hall - - 2017-06-08

Probably, everyone has heard about dangers that might hide under the “Enable Macros” button in the Microsoft Word document^[1] that has unexpectedly shown up in one of the received emails. Ransomware, banking trojans and other malware quite often enter the system by exploiting this feature. However, the list of potentially dangerous files has been just expanded. Researchers have recently discovered a new infiltration technique used for malware distribution. It’s PowerPoint. Using this Microsoft Office product cyber criminals spread a new version of Zusy^[2] (also known as Tinba) banking Trojan that has been first spotted in 2012.

PowerPoint file might include malware

The PowerPoint file drops malware on the system when user hovers the link

Hackers follow the same tricky infiltration strategy that relies on social engineering and malspam. The malicious PowerPoint file is being distributed via emails that have subject line “Re: Purchase order [random number] or “Confirmation.” When a user opens such email, she or he finds an attached PowerPoint file that is usually named as “order.ppsx,” “invoice.ppsx” or similarly. The PowerPoint suffix PPSX is designed to open the file in the presentational view instead of the editing mode.

This PowerPoint presentation starts with the white slide that includes the text saying “Loading… Please wait.” There’s no doubt that instead of waiting for something to happen, users want to hover or move the mouse over this mysterious sentence that looks like a link. The majority of people checks links in this way. However, this regular action might be enough for banking Trojan to enter the system.

Thus the main advantage of this malware distribution method is that it does not require employing Macros, VBA or JavaScript.^[3] In order to download malware on the system, hackers execute PowerShell^[4] commands. These commands are hidden in PowerPoint file and executed when a user moves or hovers the mouse over the link. Indeed, clicking is unnecessary for downloading malicious payload on the system.

Microsoft protects users from such cyber attacks

Protected View^[5] security feature is enabled by default in the Office 2013 and Office 2010. Thus users who hover over the malicious link receives a Microsoft PowerPoint Security Notice. By clicking “Disable” button, users can protect themselves from malware attack. Thus, users who use older Office versions or those who think that this function has been disabled should make sure that this security feature is turned on.

Due to this security feature, the massive distribution campaign of Zusy trojan is not expected. What is more, Windows Defender and major antivirus programs can easily detect this malware and stop it from entering the system. Thus, the only possible way to see this banking trojan launching massive attacks is the changed dissemination way.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Douglas Bonderud. It’s a Wild, Wild Word: New Macro Malware Now Infecting Both Windows and MacOS. SecurityIntelligence. Analysis & Insight on Information Security.
^ Zeljka Zorz. Tiny but deadly banking Trojan discovered. Help Net Security. Daily Information Security News With a Focus on Enterprise Security.
^ Ruben Dodge. New PowerPoint Mouseover Based Downloader – Analysis Results. Dodge This Security. An Information Security Blog.
^ Codrut Neagu. Simple questions: What is PowerShell & What can you do with it?. Digital Citizen. The Website Helping Define The Issues Of Appropriate Technology Use.
^ What is Protected View?. Microsoft. The Microsoft Support Service.