Security experts have detected a booby-trapped PowerPoint file they term as “Zusy” that will download malware to a computer whenever a user hovers a link, no macro scripts required. The file is delivered to its potential victims as a file attachment with emails with subject line “RE:Purchase orders #69812” or “Fwd:Confirmation.” The name on the PowerPoint file itself is “order&prsn.ppsx,” “order.ppsx,” or “invoice.ppsx,” and there are reports that the file has been spread around inside ZIP files.
PPSX files are similar to PPTX files, except they enter the PowerPoint presentation view when opened, instead of the PowerPoint edit mode. When the user opens the document they are greeted with a prompt, “Loading…Please wait,” which is displayed as a blue hyperlink to the victim. Once the victim moves the mouse over the hyperlink, it results in PowerPoint executing PowerShell. The hover action was configured to execute a program in PowerPoint once the user mouses over the text. Upon enabling the content, the PowerShell code is executed and a domain named “cccn.nl” is contacted to download and execute a file that is responsible for delivering the malware downloader.
A Microsoft spokesperson explained that Office Protected View is enabled by default. The feature is meant to detect and remove malware. Users and organizations that are aware of the feature being off should review their security policy to take into account this attack vector.
For more information on ways to protect your organization from malware, please contact Power Consulting Group, 212-647-0377.