Regular PowerPoint users will be familiar with the instruction to disable macros when opening the Microsoft Office document. However, a new form of social engineering attack – using PowerShell commands embedded inside a PowerPoint file – can now embed malware without unwary victims needing to enable macros. It doesn’t even rely on users to click on any link, merely for their mouse to hover over it.
Researchers have spotted that hackers are using this method to distribute the banking Trojan Zusy (aka Tinbar) to target confidential financial information. In its original version, the malware arrives in the form of a spam email entitled Purchase Order or Confirmation and then collects data such as credit card numbers, TANs and authentication tokens by injecting additional forms into legitimate sites.
This new attack delivers a variant of the Trojan via the clever re-definition of the hover action, which acts as though the link were clicked. It fails, however, if the malicious file is opened in PowerPoint Viewer, which has protective default settings and also displays strong warnings to users about enabling macros. Nevertheless, users should be on the alert, as some configurations may be more permissive in executing external programs than others.