New attack vector delivers malware via “mouse over”
The era of infecting users via tricking them into clicking might as well be over. A new attack vector has spawned to drop malware on victims. It is known as the “mouse over” technique which was discovered by Trend Micro researchers. In a nutshell, this new attack vector relies on the victim to mouse over a hyperlink.
EMEA businesses in sectors such as education, logistics, manufacturing, and device fabrication industries have been infected by a Trojan downloader initialized by a spam campaign. The Trojan has been dubbed “Gootkit” or “OTLARD” which first appeared in 2012. Its main purpose is to steal information mainly banking credentials with the ability to monitor network traffic, gain remote access, and manipulate browsers.
However, the Trojan is being delivered recently through the new attack vector. A spam email arrives to the victim with a malicious PowerPoint attached under the pretense of an invoice or purchase order. These PowerPoints come in the format of PPSX or PPS rather than the common PPT or PPTX. In other words, they open directly in presentation mode.
Once the victim hovers over the malicious link or image and enables the content to run, the Trojan is downloaded and gets to work. Although PowerPoint is only affected, other products such as Microsoft word are expected to also get similar threats as they have the same functionality. Moreover, macros and mouse overs are important in the day to day basis of businesses.
In order to prevent this attack vector, there are a couple of ways:
- They do not work on “Web mode” of office.
- Web filtering sites that host the malware
- Use Protect view to cut down infection
- IT admins can disable macros, OLEs, and mouse overs, but if needed that TrendMicro suggests to only allow approved ones and to enable them only in the apps and software that use them.