Cybercriminals are using a malware that downloads after the user hovers over a link in PowerPoint slideshow.
The PowerPoint file has a single hyperlink text shows “Loading… please wait, that has an embedded malicious PowerShell script.
If users are using a new version of MS Office, they will still need to approve the malware’s download.
If the recipient opens the PowerPoint file and hovers over the hyperlinked text in the document, it will run a PowerShell command that connects to a malicious domain and downloads malware files.
The malware is deliver as a email with subject headers and attachment file names, such as Invoice and purchase order.
The attached file formats are the open-source version of MS PowerPoint slide show (PPSX), which are only for viewing, and can’t be edited like normal PPT or PPTX files.
Researchers detected a spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. Hackers behind this spam has previously used macro malware documents to deliver different payloads.
The modern versions of the PC suite has Protected View, which will show a prompt warning about a “potential security concern” when the script starts running.
However, older versions of the suite don’t have an extra layer of security. The downloader can install a Trojan virus into the system to steal user credentials and bank account information.
Spam campaigns with malicious attachments often blast out tens of millions of messages in a matter of hours. It’s not clear what the average success rate is the mouse-over technique. The rate of 0.5 percent represent a major threat to organizations and individuals all over the world, particularly those using older versions of Office.