CALL US

+91 8219776763

PowerPoint Hack Installs Malware Without Requiring Macros

Beware! Microsoft PowerPoint Hack Installs Malware Without Requiring Macros

By Prempal Singh 0 Comment June 8, 2017

“Disable macros and always be extra careful when you manually permit it while opening Microsoft Office Word documents. ”

You might have heard of precedent security warning multiple times on the Internet as hackers usually leverage this decade old macros-based cracking technique to hack computer systems through specially crafted Microsoft Office files, particularly word, attached to spam e-mail.

But a new sociable engineering attack has recently been uncovered in the wild, which doesn’t require users to permit macros, instead, it executes malware on a targeted system using PowerShell commands embedded inside a PowerPoint (PPT) record.

Moreover, the malicious PowerShell code hidden inside the document triggers as soon as the victim moves/hovers a mouse on the website link (as shown), which downloading an additional payload on the compromised machine — even without clicking it. Researchers at Security company SentinelOne have uncovered that a number of hackers are using malicious PowerPoint files to distribute ‘Zusy, ‘ a banking Trojan, also known as ‘

Researchers at Security organization SentinelOne have uncovered that a number of hackers are using malicious PowerPoint files to distribute ‘Zusy, ‘ a banking Trojan, also known as ‘Tinba’ (Tiny Banker).

Discovered in 2012, Zusy is a banking trojan malware that targets financial websites and has the capability to sniff network traffic and perform Man-in-The-Browser problems in order to provide additional forms into genuine banking sites, asking sufferer to share an essential data such as credit card numbers, TANs, and authentication tokens.

“A new variant of the malware called ‘Zusy’ has been found in the wild growing as a PowerPoint record attached to spam e-mail with titles like ‘Purchase Order #130527’ and ‘Confirmation. ‘ It’s interesting since it doesn’t require the consumer to permit macros to execute, ” researchers at SentinelOne Labs say in an article.

The PowerPoint documents have been distributed through spam emails with the subject like “Purchase Order” and “Confirmation, ” which when opened, displays the text message “Loading… Please Wait” as a hyperlink.

For the user hovers the mouse button over the link it automatically tries to induce the PowerShell code, but the Protected View security feature that comes allowed by default in most supported versions of Office, including Office 2013 and Office 2010, displays a severe warning and requests these to permit or deactivate this article.

If the consumer neglects this warning and allows this article to be viewed, the malicious program will hook up to the “cccn.nl” domain name, from where it downloading and executes data, which is eventually in charge of the delivery of a new variant of the savings Trojan called Zusy.

“Users might still somehow permit external programs because they’re lazy, in an urgency, or they’re only used to blocking macros, SentinelOne Labs says. “Also, some configurations may possibly be more permissive in executing external programs than they are with macros. “Also, some configurations may possibly be more permissive in executing external programs than they are with macros.

Another security investigator, Ruben Daniel Dodge, also analyzed this new assault and confirmed that this newly uncovered attack does indeed not rely on Macros, Javascript or VBA for the execution method.

“This is accomplished by an aspect definition for a hover action. This float action is setup to perform program in PowerPoint once the user mouses over the text. Interior the resources definition of slide1 ‘rID2’ is identified as a hyperlink where the target is a PowerShell command, ” Dodge said.

The safety company also said that the attack doesn’t work if the malicious file is opened in PowerPoint Viewers, which refuses to perform the program. Nevertheless, the strategy could still be effective in some cases.

source: thehackernews.com

error: Content is protected by Cyberops !!