Researchers have discovered a new technique for hackers to insidiously attack users through the malicious linking of text and images in Microsoft PowerPoint presentations.
This is a particularly concerning development for business users.
The researchers, from security firm Trend Micro, discovered what has been dubbed the ‘mouseover’ technique. It is being used by a Trojan downloader also found in a spam campaign, which has largely affected European businesses operating in the manufacturing, education, logistics, pyrotechnics, and device fabrication industries.
In a blog post, Rubio Wu and Marshall Chen, threat analysts at Trend Micro, explained: “The Trojan downloader we monitored and analysed had a variant of OTLARD banking Trojan as payload (TROJ_ OTLARD.TY). OTLARD, also known as Gootkit, emerged as early as 2012 and soon evolved into an information-stealing Trojan with persistence, remote access, network traffic monitoring, and browser manipulation capabilities.”
Mark Nunnikhoven, Trend Micro's VP of cloud security, told DarkReading.com that “businesses should be more concerned about this latest technique as it shows none of the usual indicators of an infected document”. It means that firms now need to be aware that hovering over a link before clicking it to establish where it leads may no longer be safe.
Mr Wu and Mr Chen went on to warn businesses that many of the spam emails analysed featured a “pattern,” which was made up of a financial or transaction-related word or phrase, including ‘fee’ or ‘purchase order’, and followed by a serial number.
They added that they saw a pattern indicating that the operator or the service provider that sent the spam email on behalf of the operator is tracking the spam emails.
According to the analysts, the malware arrives in a spam email disguised as an invoice or purchase order, with a malicious Microsoft PowerPoint Open XML Slide Show (PPSX) or PowerPoint Show (PPS) file attached.
They explained that PPS and PPSX files are unlike PowerPoint presentation files (PPT or PPTX) because they cannot be edited; PPS and PPSX open as slideshows.