Zusy Malware Installs Via Mouseover – No Clicking Required

Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware.

The malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to download the malware payload. Instances of the malware are relatively low, according to researchers who attribute the small infection numbers to the fact that recent versions of Microsoft Office warn users that booby-trapped files could be malicious.

Victims must first open the PowerPoint file to become infected; once opened a “Loading… Please wait” hypertext message appears. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload.

“When the user mouses over the text (which is the most common way users would check a hyperlink) it results in PowerPoint executing PowerShell,” wrote Ruben Dodge, a cyber intelligence analyst in a blog post last week.

According to several security firms tracking the malware, Zusy is currently being spread via spam campaigns with subject lines like “Purchase Order #130527” and “Confirmation.” The name of the PowerPoint file varies from “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx.”

The technical aspect of the mouseover technique includes an “element definition for a hover action” in the hypertext phrase “Loading… Please wait” embedded in the first slide of the PowerPoint file, according to Dodge. By hovering over the hyperlink a PowerShell module is instructed visit a URL and fetch a malware downloader that’s saved to the target’s Temp folder, according to the researcher.

The final stage includes the execution of the JScript Encoded Script file (ii.jse) that pulls down the Zusy payload.

If Office 2013 and Office 2010 have the Protected View security feature enabled they will receive a warning: “Microsoft Office has identified a potential security concern.” Users are then prompted to either “Enable All,” “Enable” and “Disable.”

Variants of the Zusy malware have been around for years. Early incarnations of Zusy took the form of adware. Later versions of Zusy have been updated with a spyware component used to steal information from businesses, according to researchers.

from Threatpost – English – Global – thr… http://bit.ly/2sEpUgq

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s