New PowerPoint malware delivery technique tested by spammers

A spam run detected by several security companies has attempted to deliver malware through an innovative technique: a link in a PowerPoint slideshow.

PowerPoint malware

The attack unfolds like this:

  • A malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS) is delivered attached in a bogus email (invoice, purchase order, what have you)
  • Victims download the file and run it, and are faced with a single text link (or hyperlinked picture) in the file
  • They are puzzled by it, and hover with the mouse’s pointer over it in order to discover where the link will take them
  • That simple move triggers a mouseover action that leads to a security warning pop-up (Microsoft disables the content of suspicious files by default via Protected View)
  • Users who are still curious and allow the program to be run, either by clickling the Enable All or Enable button, start a chain reaction: an embedded malicious PowerShell script is executed that downloads another downloader in the form of a JScript Encoded File (JSE), which retrieves the final payload from a C&C server (in this case, a banking Trojan).

This particular spam campaign has been directed against European and UK companies in the manufacturing, device fabrication, education, logistics, and pyrotechnics industries. It was limited, and Trend Micro researchers believe it might have been just a dry run to test the new technique.

“Time will tell whether this new infection vector gains popularity among the criminal element. The fact that it does not need a macro is novel and triggers on mouse activity is a clever move,” Malwarebytes researcher Jérôme Segura noted. “There is no doubt threat actors will keep on coming up with various twists to abuse the human element.”

And while there are a number of things company IT/system administrators can do to protect employees from this type of threat, individual (home) users must rely on their email provider’s phishing filters to block such emails, up-to-date antivirus to detect and stop the malware, and their own capability to spot social engineering tactics.

Also, according to SentinelOne, users of the PowerPoint Viewer tool are likely safe, as it refuses to execute the malicious script.