New PowerPoint Exploit Launches on Hover

A new exploit that uses a PowerPoint feature that enables “mouse-over actions.”  This feature allows a PowerPoint slide show to initiate activity without having to actually click on a link.  Just hovering on a link is enough to advance to the next step.  Since we have been teaching people for years to reveal a link destination by hovering over a link to show the top tip box, this exploit would take advantage of that security practice.

This exploit is usually delivered in a phishing email as an attachment, using subject lines like “Purchase Order #XXXXXX” and “Confirmation”.  When opening the PowerPoint attachment, a single slide appears that says, “Loading…Please wait.  Clicking on or even just hovering over the link will run a PowerPoint shell command to launch the malware payload.

Fortunately, Microsoft Office users running updated version of PowerPoint should be protected by the Protected View security feature.  PowerPoint will spawn a security warning window that requires users to override the security feature to run the shell code.  Many users would be put off by the warning and stop at this step.  Hopefully this applies to your user group.

This exploit is delivering updated versions of the Tinba banking Trojan, such as Zusy and Gootkit.  These banking Trojans are known to spawn realistic looking browser pop-up windows such as the one below.  These forms are used to steal information and send it to the attacker.

Your best defense is to make sure the Protected View is enabled in your Office installations.  Then alert your user group to this new threat.  The bank account balance they save may be their own.  Please refer your user group to this article if you wish.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.