Jump to content

PowerPoint File Downloads Malware When You Hover a Link, No Macros Required


CrAKeN

Recommended Posts

Security researchers have spotted a booby-trapped PowerPoint file that will download malware to a computer whenever a victim hovers a link, no macro scripts required.

 

The file is a PowerPoint presentation that is delivered to potential victims as a file attachment with emails bearing the subject line "RE:Purchase orders #69812" or "Fwd:Confirmation". The name of the PowerPoint file itself is "order&prsn.ppsx", "order.ppsx", or "invoice.ppsx", and there's also evidence the file has been spread around inside ZIP files.

 

PPSX-spam-email.jpg

Spam email delivering booby-trapped PPSX file

Hello,

Please see attached purchase order for the moving of equipment from=London to Surrey on Wednesday 31st May.

Thanks
Nasim Khan , E-Pharm Limited
Phone : +44 (0) 203 3002245

 

PPSX files are identical to PPTX files, except they enter the PowerPoint presentational view when opened, instead of the PowerPoint edit mode.

 

The PowerPoint file contains only one slide with the following content (pictured below), containing the linkified text "Loading...Please wait".

 

PPSX-opened-attachment.jpg

Content of PPSX file

 

Whenever the user hovers the URL, malicious code is executed that will invoke PowerShell and attempt to execute the following code.

 

PPSX-obfuscated-executed-command.jpg

Malicious code [obfuscated]

 

PPSX-deobfuscated-executed-command.jpg

Malicious code [deobfuscated]

 

If the user is using an Office installation with the Protected View security feature enabled, Office will stop the attack from taking place.

 

PPSX-after-highlighting-url.jpg

Office Protected View stopping execution of malicious code

 

For users with Protected View disabled or when users ignore the popup and allow the code to execute, the malicious PowerShell code will attempt to connect to http://cccn.nl/c.php and download another file.

 

During our tests, the malicious PPSX file downloaded the following EXE, a mundane malware loader, which it saved to the user's local Temp folder, and later attempted to launch into execution via cmd.exe.

 

Office Protected View protects against "hover link" technique


Contacted by Bleeping Computer, a Microsoft spokesperson provided more information on this attack vector.

 

Quote

Office Protected View is enabled by default and protects against the technique described in the report. Both Windows Defender and Office 365 Advanced Threat Protection also detect and remove the malware. We encourage users to practice good computing habits online, and exercise caution when enabling content or clicking on links to web pages.

 

As Microsoft said in its statement, Office protects against this technique because Office Protected is enabled by default. Users and organizations that know they've turned off this feature should review their policy to take into consideration this attack vector.

 

IOCs:


PowerPoint file:

796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921

f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0

 

Second-stage EXE:

9efc3aa23de09f1713a2e138760a42d0a14568c86cdbb5499d2adddbe197db57

 

 

Source

Link to comment
Share on other sites


  • Replies 8
  • Views 894
  • Created
  • Last Reply

Oooooh.... an invoice from a company called E-Pharm for moving equipment? That sounds 100% legitimate.

 

Seriously, some people are about as smart as paint.

 

Me: Do you still have the box your computer came in?

User: Yes.

Me: Put it back in the box and return it.

User: What reason should I give for returning it?

Me: Tell them you're too stupid to use it!

Link to comment
Share on other sites


straycat19
1 hour ago, Karlston said:

Oooooh.... an invoice from a company called E-Pharm for moving equipment? That sounds 100% legitimate.

 

Seriously, some people are about as smart as paint.

 

Me: Do you still have the box your computer came in?

User: Yes.

Me: Put it back in the box and return it.

User: What reason should I give for returning it?

Me: Tell them you're too stupid to use it!

 

Actually it does sound kind of legitimate.

 

https://www.e-pharm.gr/

http://www.epharmsc.com/

http://www.epharmnutrition.com/

Paint is smart compared to a rock or a user, so the appropriate comparison would be the proverbial 'dumb as a rock' or if they are really stupid 'dumb as a box of rocks'

 

Loved the computer shipment joke. :D

 

 

Link to comment
Share on other sites


I didnt read the article yet and dont feel like reading the whole article right now read the part about how you can get infected and OMFG I agree you would have to have a iq of eighty or below to click on that.

Link to comment
Share on other sites


14 hours ago, Holmes said:

[...] to click on that.

 

Hover over is more than enough.

Sometimes reading the article first and commenting afterwards DOES help ;-)

Link to comment
Share on other sites


You have to right link on the file attachment and download it or left click and have it download automatically depending on the computer configuration and then the hover over the link step begins.

Link to comment
Share on other sites


Malicious PowerPoint presentations are spreading a malware that executes when the user “mouses over” a link—no clicking or macros required.

 

“This document was interesting as it did not rely on macros, Javascript or VBA for the execution method,” explained Ruben Dodge, in his Dodge This Security blog, in an analysis. “Which means this document does not conform to the normal exploitation methods.”

 

When the user opens the document, he or she will be presented with text saying, “Loading…Please wait,” which is displayed as a blue hyperlink. When the user mouses over the text (which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. When that PowerShell is executed it reaches out to a malicious domain, downloading various executables and eventually establishing remote desktop protocol (RDP) for remote access to the system.

 

“I sandboxed the payload for eight hours but no threat actors connected to the system,” said Dodge, who describes himself as a cyber-intelligence analyst at a Fortune 50. “So I was unable to see what other purpose the backdoor might have if the threat actors had taken specific interest in the system.”

 

Caleb Fenton and Itai Liba, senior security researchers at SentinelOne Labs, said that the propagation technique is being used to distribute a new variant of a malware called “Zusy,” which is a spyware Trojan.  In this campaign, the PowerPoint file is attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”.

 

Article source

Link to comment
Share on other sites


straycat19

Security, security, security.  Never open an attachment to an email unless it is one you specifically requested from a known person.  We have been preaching this for years and people still want to open them and see what they are.  Had a high level administrator back in 2000 when the Anna Kournikova virus was floating around who tried to open the attached 'Anna Kournikova Naked.jpg.exe' file (notice the second extension exe that windows will not show) and infected his machine.  I cleaned the machine and deleted the email from his inbox.  He was persistent though. 10 minutes later I received another call that he got it out of the trash and tried opening it again and reinfected his machine.  When I asked him why he said, "Because I didn't get to see the picture the first time."  

Link to comment
Share on other sites


This is posted:

 

Old news.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...