The newly discovered technique was noticed by several cybersecurity researchers – with dodgethissecurity doing an extensive analysis. The information security blog reported that an attack begins with the target receiving an email containing an attached PowerPoint document.
When the presentation is opened, the target sees a “Loading….Please Wait” message with many hyperlinks that appear blue. When the victim follows their natural inclination to hover their cursor over the “hyperlink” to check where it links, the document executes a PowerShell command. It’s that simple.
“When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder,” Dodgethissecurity wrote. But, the report added, even after waiting eight hours no cybercriminal connected to the system.
Jérôme Segura, the lead malware intelligence analyst at Malwarebytes, told SC Media on Thursday that the mouse- over technique is “novel and interesting.” The fact that this attack vector does not relay on a macro could make it less suspicious-looking to users and system administrators. Luckily, he said, it does not automatically run the malicious code but instead requires the user to accept a prompt, before finally infecting them.
“Like most distribution tactics, the proof of their efficiency is in how widespread their adoption is. For now, we are still seeing malicious spam that contains macros or various scripts. However, we know threat actors keep a tab on infection statistics and can easily adjust their campaigns to pick the one with the best ROI,” Segura said.
Limor Kessem, IBM’s executive security adviser, noted to SC Media that since this type of attack is hard to spot everyone has to revert to using their email security scheme.
“Indeed, this is a new technique and is quite malicious because the user is not taking much action, other than opening the file. This makes it harder to warn users about this method, but at the very least, all email users should be wary when opening files from unsolicited email. If the matter is not clear, it’s best to call the sender and verify that the file was indeed sent by them. If the email comes from an unknown source, don’t even open email, nor the files it contains,” she said.