Researcher Ruben Daniel Dodge, who is a cyber intelligence analyst for a Fortune 500 company found that PowerPoint presentations are now being used in this way. If the PowerPoint file is clicked, the user is presented with a dialogue that simply says “Loading…Please Wait” with an included blue hyperlink. The idea is that the targeted victim will move the mouse over that link and the malware executes.
This is very tricky indeed and underscores the importance of not opening any attachments in emails if the sender is unknown and/or the file is not expected. This cannot be stressed enough. However, going forward it’s also important not to hover the mouse pointer over any links that may arrive in any emails unless there is 100% certainty that whatever is behind it is safe.
As we can see, methods of the cybercriminals are constantly changing and evolving. Every time we think we might just have them figured out, they create a new way to trick us. Keeping our guard up for new tricks of the trade is continuing to be a priority for everyone.
Dodge found that this particular attack opens a backdoor, likely so the attackers can come back at a later time and wreak havoc. However, he wasn’t able to tell at the time he was doing the analysis what was exactly the intention of the backdoor. Perhaps there will be follow up to that later. What was found by SentinelOne researchers is that this one delivered a variant of the banking trojan Tiny Banker (aka Zusy or Tinba).
This email message was seen with files named “order.ppsx” or “invoice.ppsx” and subject lines such as “Purchase order #130527” or “Confirmation.” Keep in mind that while it is possible, most companies don’t use PowerPoint to send out documents meeting these criteria.
Here is additional consideration. If the file is opened in Protected View, which is enabled by default in versions of Microsoft Office that are currently supported, a dialogue does appear letting the user know there is a risk and provides an opportunity to enable or disable content. If “disable” is chosen, and it should be, it will not execute. In addition, the risk may be lowered if users choose to heed the advice of warning that code will be executed when opened in PowerPoint Viewer. If the “decline” option is chosen, it also will not be set loose.