Zusy Malware: Malicious Attack Installs Via Mouseover

Share this…

A new round of spam campaigns discovered by security researchers require extra caution by users since simply running the cursor over the malicious link can lead to the installation of malware.

The attack, highlighted by cyberintelligence analyst Ruben Dodge, takes advantage of a vulnerability found in the Microsoft Office application PowerPoint to infect a victim’s computer with a strand of malware known as Zusy.

The base of the attack is not all that different from the standard malware scheme. A user receives an email with a compromised PowerPoint document attached that has been dressed up to look like a legitimate file in hopes of getting the user to open it.

If the user opens the file, an innocuous looking message that says, “Loading … Please Wait,” displays. However, the newest scam contains a hyperlink that, if hovered over, will trigger a command that infects the computer with the Zusy malware, no clicking required.

The novel attack strategy is a relatively new delivery method for malware, bypassing the typical means of attack that relies on more user interaction or vulnerabilities to infect a device.

Thus far, the attack has also been mostly unsuccessful. Recent versions of Microsoft Office warn users about files that are potentially laced with malicious code, and some security tools such asMalwarebytes protects users against such an attack.

Microsoft Office 2013 and Office 2010 include a feature called Protected View that, when enabled, will produce a warning when attempting to open an infected file. The warning reads: “Microsoft Office has identified a potential security concern.” Users can then choose to close the file before being exposed to the malware.

Users should still be aware of the threat as even a low level of success means that some have fallen victim to the attack.

The attack is commonly spread through spam emails and will include subject lines like “Purchase Order #” or “Confirmation.” Those messages will have a  PowerPoint file attached that have a name like “order.ppsx,” “invoice.ppsx” or “order&prsn.ppsx.”

If the attack is successful, Zusy will infect a user’s device. The malicious software, which has made its rounds in a number of variations over the years, is known for stealing user information.

To enable Protected View in PowerPoint, start the application and click the File menu, then choose Options. From inside options, click Trust Center and open Trust Center Options. An option for Protected View should appear, and a checkbox will show if it is enabled or disabled. Make sure the checkbox is selected and click OK.