Malware discovered to be delivered via mouse hover
Researchers have discovered a new technique for hackers to insidiously attack users through the malicious linking of text and images in Microsoft PowerPoint presentations.
This is a particularly concerning development for business users.
The researchers, from security firm Trend Micro, discovered what has been dubbed the ‘mouseover’ technique. It is being used by a Trojan downloader also found in a spam campaign, which has largely affected European businesses operating in the manufacturing, education, logistics, pyrotechnics, and device fabrication industries.
In a blog post, Rubio Wu and Marshall Chen, threat analysts at Trend Micro, explained: “The Trojan downloader we monitored and analysed had a variant of OTLARD banking Trojan as payload (TROJ_ OTLARD.TY). OTLARD, also known as Gootkit, emerged as early as 2012 and soon evolved into an information-stealing Trojan with persistence, remote access, network traffic monitoring, and browser manipulation capabilities.”
Mark Nunnikhoven, Trend Micro's VP of cloud security, told DarkReading.com that “businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document”. It means that firms now need to be aware that hovering over a link before clicking it to establish where it leads may no longer be safe.
Mr Wu and Mr Chen went on to warn businesses that many of the spam emails analysed featured a “pattern,” which was made up of a financial or transaction-related word or phrase, including ‘fee’ or ‘purchase order’, and followed by a serial number.
They added that they saw a pattern indicating that the operator or the service provider that sent the spam email on behalf of the operator is tracking the spam emails.
According to the analysts, the malware arrives in a spam email disguised as an invoice or purchase order, with a malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS) file attached.
They explained that PPS and PPSX files are unlike PowerPoint presentation files (PPT or PPTX) because they cannot be edited; PPS and PPSX open as slideshows.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.