We have all heard or seen malware that is embedded within malicious links. Usually, the user is prompted to click the link in order for the malware to do its job. However, researchers at Trend Micro have recently uncovered a malware that only needs you to hover your mouse over a link for the malware to execute itself.
According to researchers, the malware is essentially a banking Trojan which, automatically steals a victim’s credentials and banking information when inside users’ system.
Primarily, the researchers analyzed the Trojan and found it to be an OTLARD variant, otherwise known as Gootkit. This banking Trojan has been in cyberspace since 2012 and has evolved into being a Trojan capable of remote access, network traffic monitoring and other similar tactics.
The Trojan can steal bank information and has done so in the past in a campaign that involved France. The perpetrators sent out files which seemingly appeared as letters from the French Ministry of Justice.
How does it work?
The malware is activated right after the victim hovers over a link that is present in the PowerPoint file, sent as an email attachment. The email contains other files such as an invoice and a purchase order as well along with the PowerPoint file, PPS or PPSX.
When the victim opens the PowerPoint slide, he/she hovers over a link in the slide and if the user chooses to run the associated file from the pop-up that appears in Microsoft Office, the malware will execute itself instantly.
However, this is assuming that the user is operating older versions of Microsoft Office. This is because, in the latest version, Microsoft Office originally opens files in Protected View thereby preventing any malicious infections to get into the system.
As such, the method largely relies upon adept social engineering so as to effectively trick the user into opening the file and disabling the Protected view so as to hover over the link.
The technique of a mouse-hover may work effectively in corporate environments where Office files are regularly sent and received with employees paying little attention to what the file is. According to Trend Micro:
“The trick will not work in Microsoft PowerPoint Online or Office 365’s “web mode”, as these don’t provide the actions functionality that is present in offline/desktop versions. An Office 365 end user, however, can still be affected if he accesses his account and opens the malicious file through a client (PowerPoint locally installed in the machine).”
How to protect yourself?
One way of preventing the attack is to update your Microsoft Office version and use Protected View to read files. Also, given that the attack uses the medium of email, boosting email security is another way to protect yourself against these types of attacks.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.