Earlier this week, the security expert Ruben Daniel Dodge published an interesting post on a new technique to deliver malware through PowerPoint files leveraging on mouseover events. Now experts at Trend Micro revealed details of a spam campaign they detected in late May leveraging the technique.
Researchers Rubio Wu and Marshall Chen observed the campaign targeting specific organizations in the U.K., Poland, Netherlands, and Sweden.
“This technique is employed by a Trojan downloader (detected by Trend Micro as TROJ_POWHOV.A and P2KM_POWHOV.A), which we’ve uncovered in a recent spam email campaign in the EMEA region, especially organizations in the U.K., Poland, Netherlands, and Sweden. Affected industries include manufacturing, device fabrication, education, logistics, and pyrotechnics.” reads the report published by TrendLabs.
Malicious messages are disguised as an invoice or purchase order, they have a subject comprising a finance-related word followed by a number.
“In some of the spam emails we saw, the subject lines had a pattern—using a financial or transaction-related word (or phrase), such as “fee”, or “purchase orders”, then followed by a serial number. The pattern we saw is “[fee] #__NUM__”, indicating that the operator, or the service provider that sends the spam email on behalf of the operator, are tracking the spam messages they send.” continues the report.
The emails have a malicious PowerPoint Show file attached that opens the document directly in presentation mode.
The malicious content will attempt to run as soon as the user moves the mouse over the presentation, but it is intercepted by the Microsoft Protected View mechanism and needs the user’s interaction to enable the macros.
“Once the would-be victim downloads and opens the file, user interaction is needed—hovering over the text or picture embedded with a malicious link (which triggers a mouseover action), and choosing to enable the content to run when prompted by a security notice pop-up. Microsoft disables the content of suspicious files by default—via Protected View for later versions of Office—to mitigate the execution of malicious routines that abuse features in Microsoft Office, such as macros and Object Linking and Embedding (OLE).” states the analysis published by Trend Micro.”Hence, a key ingredient in the infection chain is social engineering—luring the victim into opening the file and enabling the malware-laced content to run on the system.”
Once the macro is executed by the user, the document runs an embedded malicious PowerShell script that downloads another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JScript Encoded File (JSE). The downloader is tasked to retrieves the final payload, the OTLARD banking Trojan (aka Gootkit), from a command-and-control server.
The experts noticed that the number of malicious messages is limited, a circumstance that suggests this campaign may be followed by large-scale attacks leveraging the ‘mouseover’ technique.
“And while the numbers aren’t impressive, it can also be construed as a dry run for future campaigns, given the technique’s seeming novelty. It wouldn’t be far-fetched for other malware like ransomware to follow suit, for instance, considering the notoriety of OTLARD/Gootkit’s operators for spreading other threats in their payloads, as well as ransomware’s history with using malware-laced Office documents.” states Trend Micro.
The researchers highlighted that this tactic is typical of the Gootkit operators that use to run small campaigns focused on a limited number of countries, before larger attacks.
In order to prevent these attacks, users must ensure that Microsoft’s Protected View is enforced and have to be vigilant of the mail that they receive refusing to enable macros.
(Security Affairs – Gootkit Trojan, malware)