Q
Problem solve Get help with specific problems with your technologies, process and projects.

Zusy malware: Are your PowerPoint files at risk?

Several spam campaigns were discovered after a malicious PowerPoint file was exposed. Learn how Zusy malware is delivered upon hovering over hypertext and how files can be saved.

Researchers have discovered several spam campaigns that deliver PowerPoint files containing a malicious hyperlink...

that doesn't need to be clicked to activate. When victims open a file and hover their cursor over the hypertext, the Zusy malware payload is delivered to their computer. How does this technique work?

Unexpected functionality can surprise any user, particularly when it involves opening another program. This functionality might be needed to play a video in a PowerPoint presentation or do an advanced analysis in Excel; not many users know all of the functionalities in Excel or even in their most-used Office application, as the applications have become so complicated.

Much of the potentially dangerous functionality that Microsoft now gives users warnings about before executing is legacy functionality or features only used by a small percentage of the population. Microsoft doesn't necessarily know what functionality is used by consumers on their computers, but on a cloud service they might. Dodge This Security blogged about a new method discussed on Peerlyst for downloading malware with a malicious PowerPoint file, such as Zusy malware, where macros, JavaScript or Visual Basic for Applications aren't used.

Zusy malware uses social engineering and says, "Loading, please wait," to get the user to hover over text on a slide that looks like a URL, delivering the Zusy malware payload. Most normal security advice tells users to hover over the URL to preview it before opening it, but in this case, the hover action calls a PowerShell command and starts the infected system. This occurs because the PowerShell command downloads a malicious JavaScript file to the local system in the temp folder and the temp file is executed to download another file which has an embedded malicious executable in it. The executable then runs via the original PowerShell command to allow remote access to the system with several other steps taken to cleanup and hide the attack.

To block an attack like Zusy malware, consumers should use a whitelisting tool that would block all unapproved executables. Likewise, disabling the JavaScript command line tool or restricting PowerShell usage could also block the attack from taking complete control of the system.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in December 2017

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization have any experience dealing with a malicious PowerPoint file?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close