New Cyberattack Uses Microsoft PowerPoint Mouse Hover Feature

In late May of this year, a new cyberattack technique was discovered that delivered malware via the mouse hover feature in PowerPoint files. This technique debuted in a spam campaign that targeted the United Kingdom, Poland, Sweden, and Netherlands. This method has evolved the Office macro malware threat that re-emerged in 2015 which tricks recipients of emails to run malicious macro, a script that downloads and then installs malware via clicking a link.

How does this cyberattack work? Unlike the previous malware which required a click, this attack makes use of the mouse hover feature in Microsoft PowerPoint to install malware. The spam campaign that used this method, sent infected PowerPoint documents in emails. According to the TrendLabs report these emails used finance-related subject lines to incite recipients to open.

This email contains a malicious PowerPoint Show file which opens directly in presentation mode. Once a mouse is placed over the presentation, the macro will attempt to run immediately. However, this function is often prevented by Microsoft’s Protected View unless the user “enables” macros.

Microsoft Protected View Security Warning

Microsoft PowerPoint Security Notice
Image SentinalOne – Microsoft

If you see this warning while using the mouse hover feature in PowerPoint do not enable the function. Window’s Protected View will generate this warning to block the malicious download. Thankfully, this security feature was enabled by default in Office 2010, so many users have some form of security in place for this malware.

If the macro is enabled, an embedded malicious PowerShell script runs to download JS_NEMUCOD.ELDSAUGH which is a downloader in the form of a Jscript Encoded File (JSE). The JSE is what retrieves the final payload from a command-and-control (C&C) server.

The final payload detected by the TrendLabs team is a variant of the OTLARD banking Trojan, which is known as Gootkit. Gootkit is a well known malware in Europe and it is used to steal credentials and financial data. The “mousehover” technique was used in what many researchers believe was a test run before a larger campaign.

The greatest danger of this new technique is that many users do not realize the attack is taking place. Every Windows PC should have Microsoft’s Protected View enforced to prevent any malicious macros running. Even with the Protected View, a macro may be enabled by a user who is unaware of the danger.

Security awareness is key to avoiding a cyberattack for you and your organization. A culture of awareness solves the greatest concern for the future of cybersecurity: which is the potential for human error.

Crossroads Cybersecurity Team has the expertise you need to create a security plan customized to your unique needs. Contact us using the form below to begin preparing for a cyberattack, today.