It is reported that cybercriminals use the hovering of the target victim’s mouse to automatically execute the PowerShell code that comes with the malicious PowerPoint file. Currently, attachments named “order.ppsx” or “invoice.ppsx” are being sent via spam, and their subject matter includes “Purchase Order # 130527” and “Confirmation Letter”.
The survey shows that when a user opens a PowerPoint presentation, they see a blue hyperlink that is “Loading … Please wait”. If the user hover over the link, it will fire the PowerShell code even if it does not click. Once the user opens the document, the PowerShell code will be connected to the “cccn.nl” domain name and download the file responsible for the delivery of the malware program.
The security researcher says that the security feature protected by the view in the user device informs the user of operational risk and prompts the user to enable or disable the operation. In addition, SentinelOne researchers in the analysis of the attack also observed that cybercriminals use the technology to spread the bank Trojans Zusy, Tinba and Tiny Banker new variants.