Security researchers have spotted a booby-trapped PowerPoint file that will download malware to a computer whenever a victim hovers a link, no macro scripts required.
The file is a PowerPoint presentation that is delivered to potential victims as a file attachment with emails bearing the subject line "RE:Purchase orders #69812" or "Fwd:Confirmation". The name of the PowerPoint file itself is "order&prsn.ppsx", "order.ppsx", or "invoice.ppsx", and there's also evidence the file has been spread around inside ZIP files.
Hello,
Please see attached purchase order for the moving of equipment from=London to Surrey on Wednesday 31st May.
Thanks
Nasim Khan , E-Pharm Limited
Phone : +44 (0) 203 3002245
PPSX files are identical to PPTX files, except they enter the PowerPoint presentational view when opened, instead of the PowerPoint edit mode.
The PowerPoint file contains only one slide with the following content (pictured below), containing the linkified text "Loading...Please wait".
Whenever the user hovers the URL, malicious code is executed that will invoke PowerShell and attempt to execute the following code.
If the user is using an Office installation with the Protected View security feature enabled, Office will stop the attack from taking place.
For users with Protected View disabled or when users ignore the popup and allow the code to execute, the malicious PowerShell code will attempt to connect to http://cccn.nl/c.php and download another file.
During our tests, the malicious PPSX file downloaded the following EXE, a mundane malware loader, which it saved to the user's local Temp folder, and later attempted to launch into execution via cmd.exe.
Office Protected View protects against "hover link" technique
Contacted by Bleeping Computer, a Microsoft spokesperson provided more information on this attack vector.
Office Protected View is enabled by default and protects against the technique described in the report. Both Windows Defender and Office 365 Advanced Threat Protection also detect and remove the malware. We encourage users to practice good computing habits online, and exercise caution when enabling content or clicking on links to web pages.
As Microsoft said in its statement, Office protects against this technique because Office Protected is enabled by default. Users and organizations that know they've turned off this feature should review their policy to take into consideration this attack vector.
UPDATE: Following our article, security researcher Ruben Daniel Dodge has also published research on this same attack vector, along with SentinelOne.
IOCs:
PowerPoint file:
796a386b43f12b99568f55166e339fcf43a4792d292bdd05dafa97ee32518921
f05af917f6cbd7294bd312a6aad70d071426ce5c24cf21e6898341d9f85013c0
Second-stage EXE:
9efc3aa23de09f1713a2e138760a42d0a14568c86cdbb5499d2adddbe197db57
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now