Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Infection by Mouseover: PowerPoint Spam

June 27, 2017

Malware-laced PowerPoint files are nothing new. One well-known case involved the spread of Sandworm malware a few years ago. But several recent spam campaigns have taken advantage of a PowerPoint trick that makes it possible to drop malware without requiring the click of a link.

SophosLabs explains this attack technique below – simply hovering a mouse pointer over a tainted PowerPoint slide is enough to trigger the infection. Also, contrary to most common Office malware, macros needn't be enabled for the attack to work.

Yup, something else to train your employees about.

If such a file is opened, a "Loading… Please wait" hypertext message appears. Hovering the mouse anywhere over the image will spark the infection sequence: The spam emails have included such subject lines as "Purchase Order #954288" and "Confirmation." PowerPoint file names have included "order.ppsx", "invoice.ppsx" and "order&prsn.ppsx."

The mouseover technique includes an "element definition for a hover action" in the hypertext phrase "Loading… Please wait." When the mouse pointer hovers over the hyperlink, a PowerShell command is executed and the JSE downloader script is saved and executed in the target's Temp folder. SophosLabs decoded the JSE file and found the code was heavily obfuscated using a common string manipulation technique where each character was wrapped in a "fromCharCode" function call.

The downloaded JSE uses anti-sandboxing/anti-analysis techniques like checking for known processes and sleeping for large periods of time. When the JSE file is opened, the malicious payload is launched. SophosLabs detects that payload as Troj/Agent-AWLL.

Defensive measures include:

Use email filtering software at your email gateway to block spam as well as email-borne spyware, viruses and worms.
If you don't know the sender of an unsolicited email, delete it.
Keep images turned off in your email client. Turning off images stops spammers and marketing folks from seeing when you've opened or previewed an email.

It's also important to remember that spam campaigns like this one require a series of user actions for the attack to work. Social engineering tricks are used to dupe people into taking those actions.

To learn about the typical manipulation techniques and how to avoid them, read this related Sophos News article on social engineering.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Infection by Mouseover: PowerPoint Spam

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer