A new variant of a malware called “Zusy” has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like “Purchase Order #130527” and “Confirmation”. It’s interesting because it doesn’t require the user to enable macros to execute. Most Office malware relies on users activating macros to download some executable payload which does most of the malicious stuff, but this malware does not conform to the normal exploitation methods.
SentinelOne Labs detects this threat and users are protected.
“Disable macros and always be extra careful when you manually enable it while opening Microsoft Office Word documents.“
In this new exploitation technique when the user opens the document they are presented with the text “Loading…Please wait” which is displayed as a blue hyperlink to the user.
When the user mouses over the “Loading Please wait” (which is usual way of users checking over a link) it results in PowerPoint executing PowerShell.In this case, it’s powershell plus a small script which downloads an additional payload.This is accomplished by an element definition for a hover action. This hover action is setup to execute a program in PowerPoint once the user mouses over the text.However, the code doesn’t execute automatically as soon as the file is opened. Instead, both Office 2013 and Office 2010 display a severe warning by default:
“It’s a warning message to the users when they mouses over the link”
This process is called ‘dropper operation’,Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros. Also, some configurations may possibly be more permissive in executing external programs than they are with macros.
The PowerPoint viewer doesn’t seem to be vulnerable at all because it refuses to execute the program:
If the user neglects this warning and allows the content to be viewed, the malicious program will connect to the “cccn.nl” domain name, from where it downloads and executes a file, which is eventually responsible for the delivery of a new variant of the banking Trojan called Zusy.
Zusy is a banking Trojan, also known as ‘Tinba’ (Tiny Banker),Discovered in 2012, Zusy is a banking trojan that targets financial websites and has the ability to sniff network traffic and perform Man-in-The-Browser attacks in order to inject additional forms into legit banking sites, asking victims to share more crucial data such as credit card numbers, TANs, and authentication tokens.