Microsoft Office malware: Banking trojan downloads if you hover over PowerPoint hyperlink

Malware gangs add mouse downloads to their arsenal of social engineering tricks to infect PCs.

Spammers are testing a new way to trick victims into installing malware that they download after the user sits on a link in a PowerPoint slide show.

The new infection method adds a twist to the common advice of not clicking on links from suspicious sources and evolves the malicious threat of Office macros that resurfaced in 2015, which fools e-mail recipients to run a malicious macro or a Script that downloads and installs malware.

BleepingComputer recently discovered the new twist on Office malware, which does not require macros, but rather abuses an action in PowerPoint slideshow mode to install malware. If the recipient opens the PowerPoint file and places it over the hyperlinked text in the document, it will execute a PowerShell command that connects to a malicious domain and downloads malware files.

Malware is delivered as junk e-mail with subject headers and attachment names that suggest an invoice or purchase order. Attachment formats are the open source version of the Microsoft PowerPoint (PPSX) slide show, which can only be viewed and can not be edited like normal PPT or PPTX files.

The examples of PPSX seen so far show the hyperlinked text "Loading ... Please Wait". Hovering over it will automatically download malware unless Office Protected View is enabled. Fortunately, the protected view was enabled by default in Office 2010, in which case Office displays a security warning that blocks the download.

The PowerPoint file downloads a banking trojan that calls Gootkit or Otlard. SentinalOne calls Zusy malware.

Trend Micro detected a spam campaign with malicious PowerPoint files in late May primarily targeting organizations in the UK, Poland, the Netherlands and Sweden. The gang behind this spam has previously used malware macro documents to deliver different payloads.

The current campaign was not widespread, but Trend Micro researchers believe it is a "dry race for future campaigns," which may include a payload of ransomware.

"While features like macros, OLEs and mouse hovers have their good and legitimate uses, this technique is powerful in the wrong hands. A social and engineering email and mouse hover - and possibly a click if the latter is disabled - are All would need to infect the victim, "wrote Trend Micro.