RV_ Posted June 7, 2017 Report Share Posted June 7, 2017 This one is a new delivery method! Read this and avoid losing your data. Red color emphasis mine. Excerpt: "Researchers are warning of several recent spam campaigns delivering PowerPoint files that when opened contain a mouseover link that installs a variant of the Zusy malware. The malware is novel because it does not rely on macros, JavaScript or VBA macros to be enabled for the dropper file to download the malware payload. Instances of the malware are relatively low, according to researchers who attribute the small infection numbers to the fact that recent versions of Microsoft Office warn users that booby-trapped files could be malicious. Victims must first open the PowerPoint file to become infected; once opened a “Loading… Please wait” hypertext message appears. If a user hovers over those words it triggers an infection chain that delivers the Zusy malware payload. “When the user mouses over the text (which is the most common way users would check a hyperlink) it results in PowerPoint executing PowerShell,” wrote Ruben Dodge, a cyber intelligence analyst in a blog post last week. Kevin Epstein, VP of Threat Operations at Proofpoint said the approach is new when it comes to user-triggered malware downloads. “This technique was just introduced, so there will likely be a few users caught unaware,” he said. According to several security firms tracking the malware, Zusy is currently being spread via spam campaigns with subject lines like “Purchase Order #130527” and “Confirmation.” The name of the PowerPoint file varies from “order.ppsx”, “invoice.ppsx” or “order&prsn.ppsx.” The technical aspect of the mouseover technique includes an “element definition for a hover action” in the hypertext phrase “Loading… Please wait” embedded in the first slide of the PowerPoint file, according to Dodge. By hovering over the hyperlink a PowerShell module is instructed visit a URL and fetch a malware downloader that’s saved to the target’s Temp folder, according to the researcher. The final stage includes the execution of the JScript Encoded Script file (ii.jse) that pulls down the Zusy payload. The article is here: https://threatpost.com/zusy-malware-installs-via-mouseover-no-clicking-required/126122/ RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.