Malware Delivered Using Mouseover Events Embedded in PowerPoint Files

Several researchers recently observed a new malware campaign that uses mouseover events embedded within PowerPoint files to deliver the payload. Once the malicious file is opened, a PowerPoint slide displays the following hyperlinked text: “Loading…Please wait.” If the user hovers the mouse over the hyperlinked text, a security notification is displayed requesting user action to enable the launch of external programs. If enabled, PowerShell then executes and contacts the hacker’s server to download malware onto the user’s computer. The malware observed created a backdoor into the infected system without the user’s knowledge and performed a series of functions designed to hide its presence. For more information and a list of indicators of compromise (IoCs), visit DodgeThisSecurity.comThe NJCCIC recommends administrators apply the Principle of Least Privilege for all user accounts, enable User Account Control, disable PowerShell if it is not needed, monitor inbound and outbound network traffic for anomalies, and remind end users to avoid opening emails and attachments from untrusted sources.