We’re all well acquainted with Microsoft PowerPoint, which is one of the most widely employed presentation software. The same is now said to be infected with a new variety of the Zusy (a.k.a Gootkit or OTLARD) trojan malware, according to security firm Trend Micro.
This malware, according to the security firm’s official blog, comes embedded in infected PowerPoint files, which contain malicious links and don’t require you to click on the same to activate the malware — only a hover over the link is enough. You must surely be surprised to know the same but some black hat hackers seem to have found a way to infect Windows PCs without even requiring a user to interact.
This particular breed of malware comes embedded into PowerPoint Show (PPS) or Open EML Slide Show (PPSX) files, sent through spam email accounts. The subject line of spam emails contains text reading — ‘Purchase Order’ or ‘Confirmation’ followed by some random serial number. These files are different from the traditional PPT or PPTX PowerPoint files in a manner that they cannot be edited and are read-only files, which open in slideshow mode.
The one slide that such malicious presentations contain will present the user with some text reading “Loading…Please wait” — that too is displayed as a blue hyperlink. And as we’ve come to understand, if some text is hyperlinked then hover and click on the same to open the link and gain access to necessary content. But, that’s not exactly the case here. When you hover over the hyperlink, then Powerpoint executes Windows PowerShell with a script that downloads the actual malware to take control over your system.
Talking about the malware attack in an official blog post, security researchers from Trend Micro mentioned:
While features like macros and mouse hovers do have their good and legitimate uses, this technique is potent in the wrong hands. A socially engineered e-mail and mouse hover—and possibly a click if the latter is disabled—are all it would take to infect the victim.
However, Microsoft is well-aware of the possibility of such malware attacks and has already baked in robust security features to protect your Windows PC against the same. In most cases, especially with newer Office versions, it has been mentioned that the Windows system should pop up a warning as shown above. This will, however, not come into play if you’ve clicked ‘Enable All’ in haste to check out the link or have disabled Protected Mode.
Trend Micro goes on to mention that blast spam emails are sent out to tens of millions of users and the said malware infected close to 1,444 systems back in May. It is more wide-spread across areas– Europe, the Middle East, and Africa. The script is said to set up a backdoor to establish an RDP connection your PC, handing over admin rights of your system to the hacker. It, however, does not run in PowerPoint viewer or PowerPoint on the web. Still, we’d recommend you to distance yourself from suspicious emails, as well as files contained in them.