imageteam - Fotolia
Zusy malware: Are your PowerPoint files at risk?
Several spam campaigns were discovered after a malicious PowerPoint file was exposed. Learn how Zusy malware is delivered upon hovering over hypertext and how files can be saved.
Researchers have discovered several spam campaigns that deliver PowerPoint files containing a malicious hyperlink that doesn't need to be clicked to activate. When victims open a file and hover their cursor over the hypertext, the Zusy malware payload is delivered to their computer. How does this technique work?
Unexpected functionality can surprise any user, particularly when it involves opening another program. This functionality might be needed to play a video in a PowerPoint presentation or do an advanced analysis in Excel; not many users know all of the functionalities in Excel or even in their most-used Office application, as the applications have become so complicated.
Much of the potentially dangerous functionality that Microsoft now gives users warnings about before executing is legacy functionality or features only used by a small percentage of the population. Microsoft doesn't necessarily know what functionality is used by consumers on their computers, but on a cloud service they might. Dodge This Security blogged about a new method discussed on Peerlyst for downloading malware with a malicious PowerPoint file, such as Zusy malware, where macros, JavaScript or Visual Basic for Applications aren't used.
Zusy malware uses social engineering and says, "Loading, please wait," to get the user to hover over text on a slide that looks like a URL, delivering the Zusy malware payload. Most normal security advice tells users to hover over the URL to preview it before opening it, but in this case, the hover action calls a PowerShell command and starts the infected system. This occurs because the PowerShell command downloads a malicious JavaScript file to the local system in the temp folder and the temp file is executed to download another file which has an embedded malicious executable in it. The executable then runs via the original PowerShell command to allow remote access to the system with several other steps taken to cleanup and hide the attack.
To block an attack like Zusy malware, consumers should use a whitelisting tool that would block all unapproved executables. Likewise, disabling the JavaScript command line tool or restricting PowerShell usage could also block the attack from taking complete control of the system.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)