Zusy Malware Installs Via Mouseover – No Clicking Required

Zusy malware installs when victims hover over an opened PowerPoint file – no clicking needed.

Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware.

The malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to download the malware payload. Instances of the malware are relatively low, according to researchers who attribute the small infection numbers to the fact that recent versions of Microsoft Office warn users that booby-trapped files could be malicious.

Victims must first open the PowerPoint file to become infected; once opened a “Loading… Please wait” hypertext message appears. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload.

“When the user mouses over the text (which is the most common way users would check a hyperlink) it results in PowerPoint executing PowerShell,” wrote Ruben Dodge, a cyber intelligence analyst in a blog post last week.

Kevin Epstein, VP of Threat Operations at Proofpoint said the approach is new when it comes to user-triggered malware downloads. “This technique was just introduced, so there will likely be a few users caught unaware,” he said.

According to several security firms tracking the malware, Zusy is currently being spread via spam campaigns with subject lines like “Purchase Order #130527” and “Confirmation.” The name of the PowerPoint file varies from “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx.”

The technical aspect of the mouseover technique includes an “element definition for a hover action” in the hypertext phrase “Loading… Please wait” embedded in the first slide of the PowerPoint file, according to Dodge. By hovering over the hyperlink a PowerShell module is instructed visit a URL and fetch a malware downloader that’s saved to the target’s Temp folder, according to the researcher.

The final stage includes the execution of the JScript Encoded Script file (ii.jse) that pulls down the Zusy payload.

If Office 2013 and Office 2010 have the Protected View security feature enabled they will receive a warning: “Microsoft Office has identified a potential security concern.” Users are then prompted to either “Enable All,” “Enable” and “Disable.”

“It is a technique blocked by default, caught by most antivirus programs, and easily detected as an attachment type,” Epstein said. “It seems unlikely to prove as rapid to spread as other recent malware distribution approaches.”

Variants of the Zusy malware have been around for years. Early incarnations of Zusy took the form of adware. Later versions of Zusy have been updated with a spyware component used to steal information from businesses, according to researchers.

Suggested articles