Malware that spreads through PowerPoint files

By Balamurugan Selvaraj Published on Jun 08, 2017 05:40 PM IST

Last week, security researchers of SentinelOne lab discovered a new malware, which has been spreading as PowerPoint files through emails.

Earlier this month, there were large number of cyber attacks made through phishing mails and social media. Similar to those attacks, two researchers named Caleb Fenton and Itai Liba found this malware called 'Zusy', which is a banking Trojan, spotted in 2012 infecting a large number of personal computers across the world.

According to the researchers, this malware has been attached by actors into the spam mails with the title enclosing, 'Purchase Order #130527 and confirmation'.

Interestingly, this malware doesn't require the permission from the user to execute macros in PowerPoint. Most of the Office malwares rely on users to activate macros, which enables them to download some executable payload that contains malicious stuff. Instead of that, this malware executes using external programme feature to execute payload.

As soon as the victim opens the file, a pop-up screen will prompt with a link stating, 'Loading… Please wait'. When the user moves the mouse over the link, it automatically tries to trigger the PowerShell code in protected view mode.

Also, it will prompt a security warning about the file and ask either to enable or disable. If the victim clicks to open the file by neglecting the security warning, then the malicious programme connects the victim to the cccn.nl domain. This domain will execute a file, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy.

The researchers have confirmed that this malware attack won't infect, in case the file is opened in PowerPoint viewer, which refuses to execute the programme.

"Users might enable external programmes because they're lazy, in a hurry, or they're only used to blocking macros," the researchers wrote in a blog post.