Cybercriminals have devised a way for PowerPoint to download a malicious file when the user merely hovers the mouse over a link.
Researchers have spotted malicious PowerPoint files being distributed in spam attachments that take a different approach to using malicious Office attachments to infect a PC. Usually these attacks work by tempting the user to open a document and, for example, displaying a blurry image that supposedly requires macros to be enable to view it.
This rigged PowerPoint cuts out clicking and will download malware when the user simply hovers the mouse over a link in the document. This could be dangerous as it goes against user expectations and recent security advice against enabling macros.
The malicious PowerPoint files are presented as either invoices or purchase orders with email subject titles like "RE:Purchase orders #69812" or "Fwd:Confirmation", reports BleepingComputer.
The attachments are in PPSX file format, the open source XML version of Office PowerPoint in slide show mode, as opposed to edit mode.
The file contains nothing else visible but the hyperlinked text “Loading… Please wait”, and if the user mouses over the text the document will start executing a PowerShell command that attempts to run an external program and create a backdoor.
Fortunately, Office has a security feature called Protected View, which is enabled by default and will prevent the PowerShell command from executing an external program automatically. However, users can disable it manually, which would allow it to download the malware. If it is enabled, an Office security warning dialogue pops up explaining that it’s blocked the ability to run an external program.
Security researcher Ruben Daniel Dodge has provided a break down of how the attack works. The malware uses a PowerPoint element definition for a “hover action”, which is set up to execute a program in PowerPoint once a mouse moves over specified text, in this case being the hyperlinked text that is aimed at launching a PowerShell command.
Once the PowerShell is executed it will call a specified domain and download several more executable files to create a backdoor.