New PowerPoint Exploit Launches on Hover

A new exploit that uses a PowerPoint feature that enables “mouse-over actions.”  This feature allows a PowerPoint slide show to initiate activity without having to actually click on a link.  Just hovering on a link is enough to advance to the next step.  Since we have been teaching people for years to reveal a link destination by hovering over a link to show the top tip box, this exploit would take advantage of that security practice.

This exploit is usually delivered in a phishing email as an attachment, using subject lines like “Purchase Order #XXXXXX” and “Confirmation”.  When opening the PowerPoint attachment, a single slide appears that says, “Loading…Please wait.  Clicking on or even just hovering over the link will run a PowerPoint shell command to launch the malware payload.

Fortunately, Microsoft Office users running updated version of PowerPoint should be protected by the Protected View security feature.  PowerPoint will spawn a security warning window that requires users to override the security feature to run the shell code.  Many users would be put off by the warning and stop at this step.  Hopefully this applies to your user group.

This exploit is delivering updated versions of the Tinba banking Trojan, such as Zusy and Gootkit.  These banking Trojans are known to spawn realistic looking browser pop-up windows such as the one below.  These forms are used to steal information and send it to the attacker.

Your best defense is to make sure the Protected View is enabled in your Office installations.  Then alert your user group to this new threat.  The bank account balance they save may be their own.  Please refer your user group to this article if you wish.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.