Jump to content

Zusy Malware Installs Via Mouseover – No Clicking Required

RV_

By RV_
in Computers and Software

Recommended Posts

RV_ Grand Master

RV_

Posted
Posted

This one is a new delivery method! Read this and avoid losing your data. Red color emphasis mine.

 

Excerpt:

"Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware.

The malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to download the malware payload. Instances of the malware are relatively low, according to researchers who attribute the small infection numbers to the fact that recent versions of Microsoft Office warn users that booby-trapped files could be malicious.

Victims must first open the PowerPoint file to become infected; once opened a “Loading… Please wait” hypertext message appears. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload.

“When the user mouses over the text (which is the most common way users would check a hyperlink) it results in PowerPoint executing PowerShell,” wrote Ruben Dodge, a cyber intelligence analyst in a blog post last week.

Kevin Epstein, VP of Threat Operations at Proofpoint said the approach is new when it comes to user-triggered malware downloads. “This technique was just introduced, so there will likely be a few users caught unaware,” he said.

According to several security firms tracking the malware, Zusy is currently being spread via spam campaigns with subject lines like “Purchase Order #130527” and “Confirmation.” The name of the PowerPoint file varies from “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx.”

The technical aspect of the mouseover technique includes an “element definition for a hover action” in the hypertext phrase “Loading… Please wait” embedded in the first slide of the PowerPoint file, according to Dodge. By hovering over the hyperlink a PowerShell module is instructed visit a URL and fetch a malware downloader that’s saved to the target’s Temp folder, according to the researcher.

The final stage includes the execution of the JScript Encoded Script file (ii.jse) that pulls down the Zusy payload.

 

The article is here: https://threatpost.com/zusy-malware-installs-via-mouseover-no-clicking-required/126122/

RV/Derek
http://www.rvroadie.com Email on the bottom of my website page.
Retired AF 1971-1998


When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius

 

“Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
RVers Online University

mywaggle.com

campgroundviews.com

RV Destinations

Find out more or sign up for Escapees RV'ers Bootcamp.

Advertise your product or service here.

The Rvers- Now Streaming

RVTravel.com Logo



×
×
  • Create New...