There’s a new method of launching malware infections that only requires the victim to hover over an embedded hyperlink. The attack has been seen in emails, various MS Office files, and even on infected web pages. When a victim hovers over the hyperlink, a PowerShell script tries to download and install the malware – a Trojan horse, in this case, which opens a back door to the infected computer.
Older versions of MS Office are particularly susceptible. Newer versions of Office launch a security dialogue that prompts the user to enable or disable the script. Clicking the “Disable” button blocks the script from running. Many users, though, clicked the “Enable” button thinking it would make the dialogue go away. It ended up infecting their computers. Computers running MS Windows are primarily vulnerable. PowerShell is not natively installed on Apple or Android devices, so they’re less susceptible to this type of attack.
You can read more in the following articles. The hyperlinks are safe; I put them in the email myself. But, if you prefer, you can do a Google search using the string “powerpoint banking trojan hover”. The first article below is the one that was brought to my attention over the weekend. The second is a Trend Micro blog article with a more detail. The third is apparently the original article that brought the threat to everyone’s attention. FYI – it’s very technical.
- Banking trojan executes when targets hover over link in PowerPoint doc
- Mouse Over, Macro: Spam Run in Europe Uses Hover Action to Deliver Banking Trojan
- New PowerPoint Mouseover Based Downloader – Analysis Results
