Techlord Posted June 13, 2017 Posted June 13, 2017 Zusy: New PowerPoint Mouseover Based Malware Relevant and Interesting Extracts from the Article : Quote #Hackers have found a way to download a malicious file when a hover action is performed over a #hyperlink. The interesting fact about this technique is that it did not rely on Macros, JavaScript or VBA for the execution method. Which makes it unique as it does not uses normal exploitation methods as most of the Office Malware relies on users activating macros to download some executable payload which does most of the malicious operations. This new variant of malware dubbed as “Zusy” has been found in the wild spreading as a PowerPoint file attached to spam emails with titles like “Purchase Order #130527” and “Confirmation” according to a Senior Security Researcher at SentinelOne Labs. Here is How Zusy Malware Works The malicious PowerPoint presentation file is delivered to potential victims as a file attachment with spam emails with titles like “RE:Purchase orders #819279” or “Fwd:Confirmation“. When the victim opens the PowerPoint presentation file which is in PPSX file format, the powerpoint file opens in slideshow mode instead of the edit mode. Then the victim is able to see only the hyperlinked text “Loading… Please wait“, and when he moves the cursor over the hyperlinked text the document will start executing PowerShell command that runs an external program and create a backdoor. “When the user mouses over the hyperlinked text it results in Powerpoint executing PowerShell. This is accomplished by an element definition for a hover action. This hover action is set up to execute a program in PowerPoint once the user mouses over the text,” said security researcher Ruben Daniel Dodge in his report. Here is How To Be Safe from This Malware Usually, most of the Office malware relies on users activating macros to download some executable payload which does most of the malicious operation, but this malware was different from them. Fortunately, Microsoft Office comes with a security feature called as protected view which is by default turned on and prevents PowerShell command from executing an external program automatically. However, this feature can be turned off which is not recommended by Microsoft and from the security perspective. Microsoft spokesperson addressing the malware says “Both Windows Defender and Office 365 Advanced Threat Protection also detect and remove the malware.” according to Bleeping Computer. A user should always be suspicious of the emails received from non-familiar sources and keep a reputed and updated anti-virus program installed in your system. Technical Analysis Details of this malware can be found here in this article .
kao Posted June 14, 2017 Posted June 14, 2017 12 hours ago, Techlord said: Microsoft Office comes with a security feature called as protected view which is by default turned on and prevents PowerShell command from executing an external program automatically Here, fixed that for you: "If the user is an idiot who disables all MS Office security settings, the malware will run automatically upon hovering over hyperlink." It's the same as to claim that office macro malware runs automatically if user has enabled office macroses - total nonsense and FUD. 3
Techlord Posted June 14, 2017 Author Posted June 14, 2017 (edited) On 6/14/2017 at 3:38 AM, kao said: total nonsense and FUD Maybe you didn't read the technical article properly @kao ! It requires UPDATED versions of MS Office with all the patches applied, for this malware to not affect the systems. Also this malware affects mostly the older MS Office suites. Unless you are willing to finance them its not possible for many offices to upgrade to the newer versions of MS software as soon as they are released ! In the field, in the past 5 days, several thousand computers were affeted by this malware, which is why I decided to post it here. Some more excerpts so that we can maybe understand it better ! Quote Cybercriminals have started using a new technique to infect computers that only requires a victim place their cursor over a malicious hyperlink for the malware to be injected. “This PowerPoint document was interesting to analyze,” the researcher said. "First of all, this document was interesting as it did not rely on macros, JavaScript or VBA for the execution method. Which means this document does not conform to the normal exploitation methods." Jérôme Segura, lead malware intelligence analyst at Malwarebytes, told SC Media on Thursday that the mouse- over technique is “novel and interesting.” The fact that this attack vector does not relay on a macro could make it less suspicious-looking to users and system administrators. Luckily, he said, it does not automatically run malicious code but instead requires the user to accept a prompt, before finally infecting them. and finally ... "Indeed, this is a new technique and is quite malicious because the user is not taking much action, other than opening the file. This makes it harder to warn users about this method, but at the very least, all email users should be wary when opening files from unsolicited email. If the matter is not clear, it's best to call the sender and verify that the file was indeed sent by them. If the email comes from an unknown source, don't even open email, nor the files it contains,” she said. Full article here . Edited January 10, 2018 by Techlord Removed any offending remarks ;)
kao Posted June 14, 2017 Posted June 14, 2017 Well, I did read the original article. And here's the important part in it's full: "However, the code doesn’t execute automatically as soon as the file is opened. Instead, both Office 2013 and Office 2010 display a severe warning by default: (image showing the warning in MS Office) Users might still somehow enable external programs because they’re lazy, in a hurry, or they’re only used to blocking macros." My point still stands - moron who wrote the post on HackingVision is either incompetent or intentionally spreading FUD. 2
Techlord Posted June 14, 2017 Author Posted June 14, 2017 Well, even SANS and several other respected organizations deemed it important enough to post it in their publications. Maybe "advanced" members like you @kao and crystalboy who liked your post do not need such warnings But mortals like us do find it helpful. You may not be familiar with it, but while a lot of office folk do know not to click on attachments or run them, they do not know the dangers of merely hovering over the links. Also, you may not have seen it in the field, but several clerks etc who have a ton of emails to read and respond to daily have told me in the past that that they find this feature wherein they can see the preview by hovering over it quite convenient. SO they keep it on. They do know not to click on links though. Now @kao will say that SANS also has m0rons who wrote it ? Cheers
kao Posted June 15, 2017 Posted June 15, 2017 (edited) Again, hovering over the link is not the problem. User disabling MS Office built-in protections is. I'm not saying that the technique is not novel or dangerous - it is both. So, SANS and other publications are right to write about it. However, it is incorrect to claim that you will get infected automatically just by hovering over the hyperlink. And unlike HackingVision, SANS editors got their comments correct: "exploit [sic!] relies on PowerPoint being configured to execute external content ... PowerPoint by default displays a user bypassable warning. ... mitigation is user not enabling the external content." EDIT: 14 hours ago, Techlord said: It requires UPDATED versions of MS Office with all the patches applied, for this malware to not affect the systems. Also this malware affects mostly the older MS Office suites. Unless you are willing to finance them its not possible for many offices to upgrade to the newer versions of MS software as soon as they are released ! Another totally bogus claim. Even 10-years old MS Office 2007 without any service packs does not run the malware automatically: Spoiler Edited June 15, 2017 by kao 3
atom0s Posted June 15, 2017 Posted June 15, 2017 For normal home use, I would see this as a problem for people that do not read popups and just assume seeing the word 'Enable' means I need to click that to read the power point. However, I see this more of an issue in a business environment where silent installs of new systems happens all the time and in more or less poor practice, those installers may disable protections to make 'workflow in the business' "faster". A lot of companies push aside security/protection to ease the work of a 9-5 paper pusher from having to click extra boxes or continuously ask the same questions of 'which one do I click?' anytime the box pops up. So I would see this affected businesses the most rather than home users. 1
Techlord Posted June 15, 2017 Author Posted June 15, 2017 1 hour ago, atom0s said: However, I see this more of an issue in a business environment where silent installs of new systems happens all the time and in more or less poor practice, those installers may disable protections to make 'workflow in the business' "faster". A lot of companies push aside security/protection to ease the work of a 9-5 paper pusher from having to click extra boxes or continuously ask the same questions of 'which one do I click?' anytime the box pops up. So I would see this affected businesses the most rather than home users. Yes, this is exactly why I wanted to highlight it here Most of us do work in offices (very few of us on this forum are 14-year olds) and when something is considered pretty much so bad that even SANS and other orgs want to highlight, its good for us to be aware of it.
secursig Posted July 22, 2017 Posted July 22, 2017 this thread reminds me of this. hovering/clicking is not required since the kernel level scanner will simply use some crappy heuristics which can be easily fooled in order to determine if javascript should be executed. all you have to do is get it to pass through the network card ( downloaded, emailed, or otherwise...not even opened by the user ) to take advantage..no other user interaction necessary. It's pretty bad. MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT AUTHORITY\SYSTEM without sandboxing, and is remotely accessible without authentication via various Windows services, including Exchange, IIS, and so on. On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on. This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine. MIME types and file extensions are not relevant to this vulnerability, as MsMpEng uses it's own content identification system. https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now