New Malware Targets Users Simply When They Hover Over a PowerPoint Link

New Malware Targets Users Simply When They Hover Over a PowerPoint Link

Today’s malware is so advanced that you don’t even need to click on it to infect your PC. You can infect your computer simply by hovering over a PowerPoint link.

Hackers have developed a way to infect computers with no click required, according to our friends at IT security company Trend Micro.

That’s a scary development for PC users around the world. Most PC users know not to click on a suspicious link. However, many computer users believe just hovering over a link is completely harmless.

The new malware attacks your system when you hover your cursor over a hyperlinked picture or text in a PowerPoint slideshow. The technique is used by a Trojan downloader known as TROJ_POWHOV.A and P2KM_POWHOV.A.

Trend Micro discovered the malware while investigating a spam email campaign hitting the Europe, Middle East, and Africa (EMEA) region. The infected PowerPoint file was attached to the spam email under an innocuous title like “purchase order” or “equipment rental”.

Organizations in the UK, the Netherlands, Poland, and Sweden have been hit particularly hard by the campaign. The spam emails are specifically targeted to companies in manufacturing, fabrication, education, logistics, and pyrotechnics. Its motives are unclear.

The Malware Will Steal your Online Banking Credentials

After you hover over a PowerPoint link, the malware infects your computer. The Trojan will install a version of the OTLARD banking Trojan as its payload.

OTLARD is also known as Gootkit. The malware was first spotted in 2012, and soon evolved into a persistent data-stealing Trojan.

The spyware is specifically known for stealing banking credentials and bank account information.

Attacks Have Peaked in the Last Few Weeks

Trend Micro identified that the spam emails peaked on May 25 when the company registered 1,444 detections. However, the email campaign had died down by May 29.

The spam emails were basic, short emails written in a way to encourage someone to download the infected PowerPoint file:

The attached file is a malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS). The reason the attackers choose these files is because it opens directly into presentation/slideshow mode.

The victim downloads and opens the file. Then, if your mouse hovers over any text or picture embedded with a malicious link, you’ll see a security warning appear. That security warning asks whether or not you want to enable the content to run – a security feature Microsoft implements by default.

If you enable that security warning, then it executes a malicious PowerShell script, which downloads another downloader, which finally retrieves the payload from the server.

How to Avoid the Mouse Over Trojan

The best way to avoid this Trojan is to open all downloaded Microsoft files in Protected Mode (something that may be enabled by default).

Alternatively, download and use good antivirus software to stay protected.

No Comments

Sorry, the comment form is closed at this time.