New malware spreads via PowerPoint files

Earlier this month, researchers at SentinelOne discovered a malware infection spread via Microsoft PowerPoint files attached to spam emails. Unlike most forms of malware, it doesn’t rely on macros or JavaScript to download the payload, nor do users have to click on a link. Instead, it downloads the infection – a variant of the Zusy malware – as soon as users hover over a link included in the PowerPoint document.

How it works

The spam emails through which the malware is delivered are much as you’d expect. They have subject lines such as “Purchase Order #130527” or “Confirmation”, and invite recipients to open an attached PowerPoint file. The files are named either “order”, “invoice” or “order&prsn”, and are saved as a PPSX file. This format is identical to the default PowerPoint format, PPTX, except it opens files in presentation view rather than edit view.

Once the file is opened, the presentation displays a message that reads “Loading…Please wait”. This is a hyperlink that executes the malicious code should the user hover their mouse over it.

Many users will be partially protected from the malware because of Microsoft’s Protected View security feature, which is enabled by default in most supported versions of Office. It informs the user of the threat in a dialog box, and advises them to disable the content.

However, as SentinelOne’s researchers wrote, the malware could still be efficient in some circumstances:

Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.

Train your staff

This incident is a perfect example of how phishing campaigns can be successful. Technology often flags up potential attacks for the user through warning messages, such as in this case, or by placing potentially malicious emails in a spam folder. However, under the right conditions, the user may ignore those warnings and fall victim.

After a phishing attack last month on Gannett, the owner of USA Today, the director of marketing and strategic relationships for Plixer International, Bob Noel, commented that hackers have become so proficient at phishing that they can trick even the savviest of tech users. He said that this proves that people are the weakest link in the security chain, and that educating staff on the dangers of phishing should be a top priority for all organisations.

That education should include showing staff how to recognise a phishing email and how to respond when they receive one, which is exactly what our Phishing Staff Awareness Course provides. Full of practical tips and advice, the course teaches you everything you need to know to avoid falling victim.

Find out more about our Phishing Staff Awareness Course >>