Mouseover Macro Campaign Delivers Gootkit Trojan Via PowerPoint

Earlier this week, a researcher analyzed a newly detected technique for delivering malware involving PowerPoint files and mouseover events. Today, Trend Micro has published details on a spam campaign it detected in late May using the same technique.

TrendLabs researchers Rubio Wu and Marshall Chen suggest that although the recent campaign was limited (which in itself is not unusual as attackers try to avoid detection), it could be considered a dry run for future campaigns. The campaign was targeted particularly and organizations in the U.K., Poland, Netherlands, and Sweden. 

Similar to the earlier analysis, it used emails with a subject comprising a finance-related word followed by a number. “The pattern we saw,” notes the TrendLabs report “is ‘[fee] #__NUM__’, indicating that the operator, or the service provider that sends the spam email on behalf of the operator, are tracking the spam messages they send.”

The email is disguised as an invoice or purchase order and has a malicious PowerPoint Show file attached. This opens directly in presentation mode. The malicious macro will attempt to run as soon as the mouse is moved over the presentation; but is generally prevented by Microsoft’s Protected View until and unless the user ‘enables’ macros.

“Hence,” say the researchers, “a key ingredient in the infection chain is social engineering — luring the victim into opening the file and enabling the malware-laced content to run on the system.” The report does not elaborate on this, merely pointing out that, “A socially engineered email and mouse hover — and possibly a click if the latter is disabled — are all it would take to infect the victim.”

Once the macro runs, an embedded malicious PowerShell script is executed to download another downloader (JS_NEMUCOD.ELDSAUGH) in the form of a JScript Encoded File (JSE). It is this that retrieves the final payload from a command-and-control (C&C) server.

The payload detected by TrendLabs is a variant of the OTLARD banking Trojan, also known as Gootkit. This is well-known in Europe for stealing credentials and bank account information. TrendLabs suggests the detected campaign may be the precursor of wider use. “It wouldn’t be far-fetched for other malware like ransomware to follow suit,” say the researchers; “for instance, considering the notoriety of OTLARD/Gootkit’s operators for spreading other threats in their payloads, as well as ransomware’s history with using malware-laced Office documents.”

This behavior is typical of the Gootkit operators: small campaigns focused on a limited number of countries — but with innovative and advanced operators. Earlier this year, the Gootkit malware evolved from web-injection to redirection which is a more difficult but potentially more successful way of deceiving users.

The danger inherent in this type of macro-based mouseover attack is that it can be entirely invisible to the victim. Ensuring that Microsoft’s Protected View is enforced will at least prevent the malicious macro from running automatically — but that will still require the user to be aware and to refuse to enable macros. Locking down and adopting best practices for using tools and services like PowerShell will also help.

The bottom-line, however, is that security awareness is the best defense against this new breed of macro-based attacks. “Given that social engineering is vital in these attacks,” say the researchers, “fostering a culture of cybersecurity among employees helps mitigate a weakness for which there is no silver bullet — the human psyche.”