Zusy Malware Spreading via PPTs, No Clicking Required

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Malicious PowerPoint presentations are spreading a malware that executes when the user “mouses over” a link—no clicking or macros required.

“This document was interesting as it did not rely on macros, Javascript or VBA for the execution method,” explained Ruben Dodge, in his Dodge This Security blog, in an analysis. “Which means this document does not conform to the normal exploitation methods.”

When the user opens the document, he or she will be presented with text saying, “Loading…Please wait,” which is displayed as a blue hyperlink. When the user mouses over the text (which is the most common way users would check a hyperlink) it results in Powerpoint executing PowerShell. When that PowerShell is executed it reaches out to a malicious domain, downloading various executables and eventually establishing remote desktop protocol (RDP) for remote access to the system.

“I sandboxed the payload for eight hours but no threat actors connected to the system,” said Dodge, who describes himself as a cyber-intelligence analyst at a Fortune 50. “So I was unable to see what other purpose the backdoor might have if the threat actors had taken specific interest in the system.”

Caleb Fenton and Itai Liba, senior security researchers at SentinelOne Labs, said that the propagation technique is being used to distribute a new variant of a malware called “Zusy,” which is a spyware Trojan. In this campaign, the PowerPoint file is attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”.
 

kamla5abi

Level 4
Verified
May 15, 2017
178
o_O:eek:
enough people have heard the "don't click on spam email or something you think is fishy or not legit" speech enough times for it to mostly stick
but just mousing over the link is a crazy method of attack that will probably work very well for the malware creator(s) :(
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top