Malware-laced PowerPoint files are nothing new. One well-known case involved the spread of Sandworm malware a few years ago. But several recent spam campaigns have taken advantage of a PowerPoint trick that makes it possible to drop malware without requiring the click of a link.
SophosLabs explains this attack technique below – simply hovering a mouse pointer over a tainted PowerPoint slide is enough to trigger the infection. Also, contrary to most common Office malware, macros needn't be enabled for the attack to work.
Yup, something else to train your employees about.
If such a file is opened, a "Loading… Please wait" hypertext message appears. Hovering the mouse anywhere over the image will spark the infection sequence: The spam emails have included such subject lines as "Purchase Order #954288" and "Confirmation." PowerPoint file names have included "order.ppsx", "invoice.ppsx" and "order&prsn.ppsx."
The mouseover technique includes an "element definition for a hover action" in the hypertext phrase "Loading… Please wait." When the mouse pointer hovers over the hyperlink, a PowerShell command is executed and the JSE downloader script is saved and executed in the target's Temp folder. SophosLabs decoded the JSE file and found the code was heavily obfuscated using a common string manipulation technique where each character was wrapped in a "fromCharCode" function call.
The downloaded JSE uses anti-sandboxing/anti-analysis techniques like checking for known processes and sleeping for large periods of time. When the JSE file is opened, the malicious payload is launched. SophosLabs detects that payload as Troj/Agent-AWLL.
Defensive measures include:
- Use email filtering software at your email gateway to block spam as well as email-borne spyware, viruses and worms.
- If you don't know the sender of an unsolicited email, delete it.
- Keep images turned off in your email client. Turning off images stops spammers and marketing folks from seeing when you've opened or previewed an email.
It's also important to remember that spam campaigns like this one require a series of user actions for the attack to work. Social engineering tricks are used to dupe people into taking those actions.
To learn about the typical manipulation techniques and how to avoid them, read this related Sophos News article on social engineering.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology